TouchID on iOS 9.0.2 #406
Comments
Hi, I can confirm this issue. Touch ID can be bypassed by pressing the home button. I tried it with a finger which is not registered for Touch ID on my phone. @jarush : Can you please check as soon as possible. Maybe you can identify and fix the problem? Thanks and Regards Finke |
I think this is a hardware-related bug/problem. I can reproduce it sometimes, but only if the TouchID sensor is greasy and there's some residues of an "registered" fingerprint on it. Reproduce procedure:
If the TouchID sensor is cleaned before you try to unlock the app, you would not be able to get it done just by pressing the button with an unregistered finger I think iOS also notice that there is a malfunction present, as it sometimes calls for the iOS unlock-code to continue iOS 9.0.2 / iPhone 6 / MiniKeePass 1.6.2 |
Hi, I reproduced the bug just right now.
Robin
|
okay, seems that i'm wrong. sorry, but i'm not able to reproduce it your way. In my tests, it all ends with the fact that you have to enter the PIN. |
Hmm, even stranger, makes it harder to resolve I guess. Thanks for trying.
|
I was able to reproduce the bug with the version on the app store, but when I re-built using the latest XCode it seems to have magically fixed the issue (I'm not a fan of these kinds of "fixes"). Instead of bypassing, it just cancels TouchID and requires you enter the PIN. We'll have to do some more testing before making a release. |
There seems to be some issues with TouchID and iOS9. Sometimes it's necessary to enter the iPhone Code to unlock the iPhone from lockscreen. But in my opinion minikeepass should be able to handle such kind of problems and switch to the pin pad. In addition I regocnized that my iPhone will ask the iPhone code in lockscreen after bypassing the minikeepass touch id several times. If I bypass the minikeepass touch id and send the app into the background, several times it's not possible to reopen the app (only white screen) without hard closing the app. Regards Finke |
…prompting for the PIN code If an unauthorized user fully pressed the home button while the Touch ID prompt was displayed, the lock screen would be hidden before the PIN code view controller was shown. The net effect is that the unauthorized user would be able to able to access the database without being prompted for the app's PIN code.
From what I can tell this isn't an iOS bug. I was able to replicate the issue consistently, with the logs showing the following:
It looks like the app Touch ID sub-system starts checking the user's fingerprint, but since they've fully pressed the home button, the |
…prompting for the PIN code If an unauthorized user fully pressed the home button while the Touch ID prompt was displayed, the lock screen would be hidden before the PIN code view controller was shown. The net effect is that the unauthorized user would be able to able to access the database without being prompted for the app's PIN code.
Is this project still active? What needs to be done in order to get a new release? If it's an issue of time, which I completely understand, I can assist in the release activities (store listing prep, IPA submittal to Apple for review, etc). If this were simply an open-source app that developers/users would have to build and install on their own, then I can understand that the priority for fixing even the "biggest" of bugs might not be so high. However, since this is a public app that's released via the App Store where anyone can install it, my opinion is that there's a duty here to fix security issues like this ASAP. Please let me know if there's anything I can do to help. |
Fixed issue #406 where Touch ID could be bypassed without prompting f…
Sorry for not responding, been really busy for the past few months. Oddly enough I couldn't replicate the issue on my device with a dev build that didn't have any changes to the LockScreenManager. I tested your pull request @joshsnelling, it looks good to me and everything looks good. We'll try and get a release submitted within the next day. |
Thanks @jarush. I understand things can get busy, so I and the rest of the app's users appreciate your time spent looking into this. Let me know if I can help in any way. |
Fixed in 1.6.3, and available in the App Store |
Thank you, Jason! Great work!
|
Hi,
The TouchID bypass-bug is back again.
I have iOS 9.0.2 (although I think th bug appeared in 9.0.1 as well) and Minikeepass 1.6.2.
Pin code is active (4-digit), TouchID is activated. Lock timeout setting does NOT matter whether it is set to Immediately or e.g. 30sec.
When I open Minikeepass, the TouchID prompt is presented, with a cancel button below. When I press Home button at that time, it bypasses the TouchID verification and lets me access the password databases (so no TouchID and no PIN required).
Pressing cancel in the TouchID prompt brings up the PIN pad, so no circumvention.
Changing the timeout setting to immediately does not change this behaviour. The only way to prevent unauthorised access (when phone is already unlocked, of course), is to switch off TouchID.
Thank you, regards,
Robin
The text was updated successfully, but these errors were encountered: