Touch ID iOS 8 implementation flaw

jon2690

macrumors newbie
Original poster
Sep 11, 2013
18
0
I have been playing with the new TouchID features in IOS 8 and I am, shall we say, flustered with one of the features: the "Enter Passcode" to bypass touch ID.

I am very conscious about the security of my information, but I am also willing to share my devices, whether it be for games, watching a movie, or playing music. To date, in every app possible, I have added a custom passcode. Dropbox, Goodreader, Mint, Evernote, Lastpass, etc. I could share my phone/ipad with anybody and not worry that they could access my finances, work documents, any site accessible with lastpass (ie every website I have a login for).

With having the "Enter Passcode" function available when prompted for a fingerprint, any person I give my passcode will have access to everything. I don't want that. I know someone will say "just don't give out your passcode", and I guess that is a option I might consider for my phone that I consider to be more personal. But what about the ipad? It will most likely have touchID next month, are you not going to give your passcode to anyone? What if someone wants to watch a movie and they pause if for too long? Or you give you ipad to your child? The passcode is the same as the one needed to unlock the device.

Solution? I don't know. Maybe allow apps to ask for a fingerprint or an app specific password. I think that would work in theory, but it might not fit within the workflow of the secure element and the API.
 

trouble747

macrumors 6502
Jul 30, 2011
322
11
...why don't you just use a different passcode?

*edit*

Or maybe I'm not understanding what you're talking about. Does iOS have a feature that allows any app to be locked with the same standard passcode used to unlock the phone?

How does the fingerprint function change the situation? You either had to keep everything unlocked before or use a passcode, right?
 

gtstricky

macrumors regular
Apr 19, 2012
121
5
Yea I am not sure what changed for you either.

Before you had a passcode. Now you have a passcode or touchID.
 

jon2690

macrumors newbie
Original poster
Sep 11, 2013
18
0
...

Or maybe I'm not understanding what you're talking about. Does iOS have a feature that allows any app to be locked with the same standard passcode used to unlock the phone?
Quite a few apps offer the ability to prevent any person with access to your home screen from accessing an app. In Dropbox you could add a 4 digit pin to prevent people from snooping around. Same is many other apps. Now, many of those same apps, offer touchID 'lockout'. So to answer your question, now, IOS with the new touchID API, does allow any app to be locked with the same passcode as the phone. And this happens because touchid offer the user the option to enter the passcode instead of the fingerprint.

So, figure out the persons passcode, not only do you have access to the phone, but also to all the apps 'protected' by touchID. This could be really painful with Lastpass.
 

antiprotest

macrumors 65816
Apr 19, 2010
1,446
248
Touch ID iOS 8 implementation flaw

I don't think it could be called a flaw. You can always want something so specific that the device or software has not designed to satisfy. What if I want a different passcode for every note in the device? For every folder? For every notification? For every person's finger at different hour of the day?

Maybe call it a limitation. A flaw implies error. There is no error here.
 

jon2690

macrumors newbie
Original poster
Sep 11, 2013
18
0
Yea I am not sure what changed for you either.

Before you had a passcode. Now you have a passcode or touchID.
I see what you are getting at. I had a different passcode for my phone and for my app (Dropbox, Goodreader, Mint, etc). While I know that isn't perfect, and a tech person (I wouldn't even dare say hacker), could get access to some of that protected information, I did prevent snooping. Would you give anyone access to your ipad also access to mint with just the quick tap?
 

legioxi

macrumors 6502a
Mar 2, 2013
639
75
I see what you are getting at. I had a different passcode for my phone and for my app (Dropbox, Goodreader, Mint, etc). While I know that isn't perfect, and a tech person (I wouldn't even dare say hacker), could get access to some of that protected information, I did prevent snooping. Would you give anyone access to your ipad also access to mint with just the quick tap?
You still can have a different passcode with each app. The apps that use TouchID still have independent passcodes/passwords. Nothing has changed in that regard.
 

BrettDS

macrumors 65816
Nov 14, 2012
1,089
224
Orlando
So to answer your question, now, IOS with the new touchID API, does allow any app to be locked with the same passcode as the phone.
I don't believe this is the case. The only app that I've played with that supports access by touchID is Mint, and in that case you need to set a passcode within the Mint application before it will allow you to access the app by TouchID, and if touchID fails and you need to enter a passcode to start Mint, then you need to use the Mint specific passcode that you entered and not the device passcode.
 

jon2690

macrumors newbie
Original poster
Sep 11, 2013
18
0
I don't believe this is the case. The only app that I've played with that supports access by touchID is Mint, and in that case you need to set a passcode within the Mint application before it will allow you to access the app by TouchID, and if touchID fails and you need to enter a passcode to start Mint, then you need to use the Mint specific passcode that you entered and not the device passcode.
Mint does it the way I was hoping it would work.

I stand corrected, I was wrong. I do agree with the way Apple did it and the problem might lie with the way developers implemented it. I hadn't played with enough apps outside of lastpass and their plugin in Safari. While Lastpass doesn't allow touchid to give access to the app, they allow touchid when log into a site in Safari. And for me, the prompted passcode (after declining using touchid) is the same as the one to access the phone. After making a fool of myself in my previous posts, I'm going to have to play around with the preferences some more jumping to conclusions....
 
Last edited:

Luke Redpath

macrumors 6502a
Nov 9, 2007
731
6
Colchester, UK
The only flaw here is the idea of giving somebody your passphrase. Don't give your device passphrase to somebody you do not trust. Its that simple. If you want them to use your device, unlock it for them.

Putting extra passcode on apps that contain sensitive data and support this functionality is also a good idea.

If you want your child to use your device, I would recommend putting the device in guided access mode.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.