Touch ID and A7 Secure Enclave Detailed in Updated Apple Security Document

[T-Will]

In addition to the Touch ID info, I thought the iMessage and Siri stuff was pretty interesting.

I didn't realize photos and long texts were encrypted and uploaded to iCloud first, then the receiving device downloads the data.

And with Siri, I hadn't realized that contact names and relationships, music library information, and reminder lists are uploaded to the Siri server.

 

[Rogifan]

Well just because the devs can use it doesn't mean it isn't secure. iOS cydia tweaks can't actually access the fingerprint data yet can use the fingerprint scanner.

I guess my point was since it's open to developers people would be more interested in how it's implemented and how the security works.

 

[NMBob]

Rube Goldberg would be proud.

Yup.

Isn't there something incredibly wrong with a civilization that has to go to that much trouble just to buy a tube of toothpaste?

 

[Rogifan]

Still waiting for Al Franken to send this to Samsung. Where is the concern over how secure Samsung's finger print scanner is? Seems to me a bit hypocritical that there was all this hysteria around Touch ID and with the Galaxy S5 it's basically a collective yawn.

 

[sjinsjca]

My 5S's sensor appears to be deteriorating in recent weeks. I've gone from at least a 90% success rate to a 10% success rate. I have redone my prints multiple times. It seems like I get better results if I clean the home button every time, but you shouldn't have to do that, and it makes me suspect a hardware failure.

Turn off fingerprint recognition-- delete all stored fingerprints. Then re-enable and train it again. Fixed mine, and it's stayed fixed.

 

[scottsjack]

Good timing with the new Samsung S5 Touch-wipe-button. Hey how come no one cares about security when Samsung does it yet when Apple does it we all FLIP?

Take that over to Appleinsider please, that's more their speed.

 

[WestonHarvey1]

Turn off fingerprint recognition-- delete all stored fingerprints. Then re-enable and train it again. Fixed mine, and it's stayed fixed.

That seems to have helped... so far.

Edit: Nope. It isn't able to detect my print again.

 

[MichaelJohnston]

Touch ID Demo

I'd be interested in knowing what happens with the Touch ID demos in the stores. If the A7 has no access to the sensor, is the Secure Enclave reading and verifying the data? Is it stored in there and then erased?

 

[FakeWozniak]

My 5S's sensor appears to be deteriorating in recent weeks. I've gone from at least a 90% success rate to a 10% success rate. I have redone my prints multiple times. It seems like I get better results if I clean the home button every time, but you shouldn't have to do that, and it makes me suspect a hardware failure.

I think the cat is messing with you when you are sleeping. Check for a catnip purchase on Amazon!

 

[joe-h2o]

I always take for granted how companies can be so sure of themselves ad they just post up a complete document on how it all works, going by their own secure stuff they are obviously sure enough to bet on its safe, otherwise they wouldn't post it to begin with ...

Truth this, while these documents are all ok, Samsung and others don't need every bit of info here, as they seem to get into ;'hot water' on their own.

Besides, didn't Apple do a patent on this ? Apart from being just a reference, the fact that everyone now knows exactly how it works, what is stopping people having a lawsuit ?

tickle,, the NSA raises their glasses to triumph.

You seem to misunderstand what this document is for. The system is not secure because people don't know how it works - that would be security through obscurity, which is not secure at all. It's secure by design. Telling people the specifics of that design does not make it any less secure, nor does it make it easier to copy (we'd pretty much guessed exactly how it worked before, but now we have it officially in spec from Apple).

 

[scoobydoo99]

Sure appears to be far more secure than the 4-digit pin for access.

The real concern isn't access to my phone, it's access to my key.

If someone steals my 4-digit pin, that's all they have. If they steal my fingerprint, well, that's much more problematic.

 

[69Mustang]

One thing I've learned from the comments in this thread. Samsung's marketing is damn good. They have seriously entered the consciousness of the MR commentariat. Money well spent?

 

[unplugme71]

The real concern isn't access to my phone, it's access to my key.

If someone steals my 4-digit pin, that's all they have. If they steal my fingerprint, well, that's much more problematic.

True

The big issue is if the finger doesn't scan most people have a 4 digit code. My friend guessed mine after 17 tries.

The finger print should require a more complex code otherwise it becomes useless. There should be an option to also require fingerprint and code if you wish if your phone has very secure data on it.

 

[MatthewAMEL]

My issued with TouchID isn't security, it's that it sucks.

I have to re-learn my fingerprint every 90 days. TouchID gets worse and worse and worse as time rolls on.

 

[Taz Mangus]

I'd be interested in knowing what happens with the Touch ID demos in the stores. If the A7 has no access to the sensor, is the Secure Enclave reading and verifying the data? Is it stored in there and then erased?

If I remember correctly, the Apple stores wipe and restore the computers every night after they close. Maybe this is also done with the iPhones every night when the Apple store closes.

 

[NT1440]

The real concern isn't access to my phone, it's access to my key.

If someone steals my 4-digit pin, that's all they have. If they steal my fingerprint, well, that's much more problematic.

Well it's a good thing that your fingerprint isn't stored anywhere. Just a mathematical interpretation of it, what do you think this actually takes a picture of your finger?

 

[Mechanic]

It most likely means that the fingerprint data is encrypted by the iPhone as opposed to sending the RAW data out to be encrypted.

The post you answered was talking about the Galaxy s5 not the iPhone.

 

[V.K.]

It most likely means that the fingerprint data is encrypted by the iPhone as opposed to sending the RAW data out to be encrypted.

that's exactly what it means. and there is nothing bad or less secure about this, quite the opposite. this is how it should be.

My 5S's sensor appears to be deteriorating in recent weeks. I've gone from at least a 90% success rate to a 10% success rate. I have redone my prints multiple times. It seems like I get better results if I clean the home button every time, but you shouldn't have to do that, and it makes me suspect a hardware failure.

lots of people posted about this issue here and on the apple support forums. happens to me too. this seems to be a software rather than a hardware problem. According to Apple, touch id is using some kind of software algorithm which is supposed to improve the fingerprint recognition the more you use it. the reality seems to be the opposite. I hope they improve it in the next iphone. won't help us though. I wish there was a way to just turn this learning algorithm off.

 

[Mechanic]

I'd be interested in knowing what happens with the Touch ID demos in the stores. If the A7 has no access to the sensor, is the Secure Enclave reading and verifying the data? Is it stored in there and then erased?

Yes the secure enclave completely handles the touch id sensor. In fact if your touch id sensor goes bad the A7 has to be replaced too (in other words the sensor is matched to the A7 in the iPhone). It was confirmed when the 5S came out that you can't switch sensors with different iPhones.
The secure enclave is a part of ARMv8. It allows the creation of a separate secure operating system and processor for things like touch id that operate independent of the main operating system and can't be hacked through iOS.

 

[Tech198]

Telling people the specifics of that design does not make it any less secure, nor does it make it easier to copy.

How so ?

So your saying something that is out in the open is no less secure than something that's kept ?

Isn't telling people what security that's used and exactly how it works, gives them an advantage to try and attack what they would otherwise have to find out for themselves (hence more secure) because they don't know ? Regardless of the method used for security.

Its like picking a lock vs telling someone how to (it may not be easy based on what security, but at least telling peple, you have something to go on, vs nothing at all)

 

[dwsolberg]

My issued with TouchID isn't security, it's that it sucks.

I have to re-learn my fingerprint every 90 days. TouchID gets worse and worse and worse as time rolls on.

I've noticed this too.

 

[Tech198]

I've noticed this too.

You guys noticed this :-

http://www.imore.com/touch-id-not-working-you-heres-fix

 

[BiscottiGelato]

How so ?

So your saying something that is out in the open is no less secure than something that's kept ?

Isn't telling people what security that's used and exactly how it works, gives them an advantage to try and attack what they would otherwise have to find out for themselves (hence more secure) because they don't know ? Regardless of the method used for security.

Its like picking a lock vs telling someone how to (it may not be easy based on what security, but at least telling people, you have something to go on, vs nothing at all)

That would be security through obscurity.

A good security system should be secure even if people know exactly how it works.

That's why a regular key lock sucks, because if you know how to pick it, it's useless.

In contrast, most encryption and authentication algorithms can be found right on Wikipedia. Yet they have not been broken even with thousands of the brightest PhD and computers pouring over it.

http://en.wikipedia.org/wiki/Security_through_obscurity

 

[sixrom]

The amount of Samsung envy in these posts suggests buyers are only content with their iPhone's after they justify the purchase by making slanderous comments about the competition.

Why they fail to stay on topic and conduct an intelligent conversation about Touch ID and A7 Secure Enclave is very revealing. Furthermore there will always be competition, therefore these same Samsung bashers will never be happy. Why one attaches their happiness to a smartphone is rather sad.

I find Apples approach a good one and have no desire to deflect attention to Samsung.

 

[869639]

My issued with TouchID isn't security, it's that it sucks.

I have to re-learn my fingerprint every 90 days. TouchID gets worse and worse and worse as time rolls on.

strange, Mine has been set since OCT2013 and never had to do it again, got 2 for right thumb [most used], 1 left thumb, 1 right index finger and it works 99% of the time unless my hands are too moist, wet or dirty.