Touch ID iOS 8 implementation flaw

Discussion in 'iOS 8' started by jon2690, Sep 24, 2014.

  1. jon2690 macrumors newbie

    Sep 11, 2013
    I have been playing with the new TouchID features in IOS 8 and I am, shall we say, flustered with one of the features: the "Enter Passcode" to bypass touch ID.

    I am very conscious about the security of my information, but I am also willing to share my devices, whether it be for games, watching a movie, or playing music. To date, in every app possible, I have added a custom passcode. Dropbox, Goodreader, Mint, Evernote, Lastpass, etc. I could share my phone/ipad with anybody and not worry that they could access my finances, work documents, any site accessible with lastpass (ie every website I have a login for).

    With having the "Enter Passcode" function available when prompted for a fingerprint, any person I give my passcode will have access to everything. I don't want that. I know someone will say "just don't give out your passcode", and I guess that is a option I might consider for my phone that I consider to be more personal. But what about the ipad? It will most likely have touchID next month, are you not going to give your passcode to anyone? What if someone wants to watch a movie and they pause if for too long? Or you give you ipad to your child? The passcode is the same as the one needed to unlock the device.

    Solution? I don't know. Maybe allow apps to ask for a fingerprint or an app specific password. I think that would work in theory, but it might not fit within the workflow of the secure element and the API.
  2. trouble747 macrumors 6502

    Jul 30, 2011
    ...why don't you just use a different passcode?


    Or maybe I'm not understanding what you're talking about. Does iOS have a feature that allows any app to be locked with the same standard passcode used to unlock the phone?

    How does the fingerprint function change the situation? You either had to keep everything unlocked before or use a passcode, right?
  3. gtstricky macrumors regular


    Apr 19, 2012
    Yea I am not sure what changed for you either.

    Before you had a passcode. Now you have a passcode or touchID.
  4. jon2690 thread starter macrumors newbie

    Sep 11, 2013
    Quite a few apps offer the ability to prevent any person with access to your home screen from accessing an app. In Dropbox you could add a 4 digit pin to prevent people from snooping around. Same is many other apps. Now, many of those same apps, offer touchID 'lockout'. So to answer your question, now, IOS with the new touchID API, does allow any app to be locked with the same passcode as the phone. And this happens because touchid offer the user the option to enter the passcode instead of the fingerprint.

    So, figure out the persons passcode, not only do you have access to the phone, but also to all the apps 'protected' by touchID. This could be really painful with Lastpass.
  5. antiprotest macrumors 65816


    Apr 19, 2010
    Touch ID iOS 8 implementation flaw

    I don't think it could be called a flaw. You can always want something so specific that the device or software has not designed to satisfy. What if I want a different passcode for every note in the device? For every folder? For every notification? For every person's finger at different hour of the day?

    Maybe call it a limitation. A flaw implies error. There is no error here.
  6. jon2690 thread starter macrumors newbie

    Sep 11, 2013
    I see what you are getting at. I had a different passcode for my phone and for my app (Dropbox, Goodreader, Mint, etc). While I know that isn't perfect, and a tech person (I wouldn't even dare say hacker), could get access to some of that protected information, I did prevent snooping. Would you give anyone access to your ipad also access to mint with just the quick tap?
  7. legioxi macrumors 6502a

    Mar 2, 2013
    You still can have a different passcode with each app. The apps that use TouchID still have independent passcodes/passwords. Nothing has changed in that regard.
  8. BrettDS macrumors 65816

    Nov 14, 2012
    I don't believe this is the case. The only app that I've played with that supports access by touchID is Mint, and in that case you need to set a passcode within the Mint application before it will allow you to access the app by TouchID, and if touchID fails and you need to enter a passcode to start Mint, then you need to use the Mint specific passcode that you entered and not the device passcode.
  9. jon2690, Sep 24, 2014
    Last edited: Sep 24, 2014

    jon2690 thread starter macrumors newbie

    Sep 11, 2013
    Mint does it the way I was hoping it would work.

    I stand corrected, I was wrong. I do agree with the way Apple did it and the problem might lie with the way developers implemented it. I hadn't played with enough apps outside of lastpass and their plugin in Safari. While Lastpass doesn't allow touchid to give access to the app, they allow touchid when log into a site in Safari. And for me, the prompted passcode (after declining using touchid) is the same as the one to access the phone. After making a fool of myself in my previous posts, I'm going to have to play around with the preferences some more jumping to conclusions....
  10. Luke Redpath macrumors 6502a

    Nov 9, 2007
    Colchester, UK
    The only flaw here is the idea of giving somebody your passphrase. Don't give your device passphrase to somebody you do not trust. Its that simple. If you want them to use your device, unlock it for them.

    Putting extra passcode on apps that contain sensitive data and support this functionality is also a good idea.

    If you want your child to use your device, I would recommend putting the device in guided access mode.
  11. gtstricky macrumors regular


    Apr 19, 2012
    no worries... we are all friends here (except for a few)

Share This Page