Encryption algorithms compatibility between Android Key Store and Apple Enclave - ios

I have the scenario as explained below.
Background
--------------
I have 3 types of devices/users in my ecosystem. One type of device is Android, other is Apple iOS and third kind of device[user] is the cloud application.
Scenario
-------------
So my use case here is that either of the Android or iOS could be the producer of some 'data key'. And I am using Android Key Store on Android to do encryption/decryption while I am using the Secure Enclave on iOS for encryption/Decryption. The public key will be fetched from some common data store.
Scenario 1: iOS device fetches the public key of android device[user] from central data store and encrypts the data key using this public key using its Enclave algorithm and puts the encrypted data key on central data store.
Now Android will fetch this encrypted data key and will try to decrypt this using its private key on AndroidKeyStore.
Now here the challenge is how can I choose the same algorithm specification salt/padding/MGF1 etc. in order to successfully decrypt the data key? I want to have this kind of compatability?
I can handle the cloud application[user] by changing the java options as this application has been written in java.
Scenario 2: The second scenario is just similar to the scenario 1 above but in this scenario Android is encrypting and iOS is decrypting.
My Approach On this So Far :
I am thinking of using some independent security provider for example Bouncy Castle for all the encryption and decryption activity on either device or cloud application instead of using the on-device encryption/decryption.
But this is not so secure and will have the plain private key stored in memory of the application and hence increasing the risk.
I am sure this is not the first time this problem is being solved and there must be some approaches/algorithms available to make this happen.
Could some one please guide me on this.

Related

Login to iOS application using fingerprint when one device is shared by multiple users

We have a requirement where we need to login in to our application using fingerprints. We do understand that apple touch id can be used for authentication purpose and only returns success or failure in the response.
However, in our case one iPhone device will be shared by 5 to 8 users and we need to map an unique userId with each saved fingerprint to identify the user.
Is there any way to map a userid with the saved fingerprint (any unique number returned from an api like Fingerprint1, Fingerprint2 will do)?
Or Is there any alternative solution to login to our iOS application using biometric data?
We dont't want to add an extra fingerprint scanner device.
No, You can't achieve this in iOS. According to Apple about biometric
Touch ID doesn't store any images of your fingerprint. It stores only
a mathematical representation of your fingerprint. It isn't possible
for someone to reverse engineer your actual fingerprint image from
this mathematical representation. The chip in your device also
includes an advanced security architecture called the Secure Enclave
which was developed to protect passcode and fingerprint data.
Fingerprint data is encrypted and protected with a key available only
to the Secure Enclave. Fingerprint data is used only by the Secure
Enclave to verify that your fingerprint matches the enrolled
fingerprint data. The Secure Enclave is walled off from the rest of
the chip and the rest of iOS. Therefore, iOS and other apps never
access your fingerprint data, it's never stored on Apple servers, and
it's never backed up to iCloud or anywhere else. Only Touch ID uses
it, and it can't be used to match against other fingerprint databases.
Now come to main point.
Now days iPhone X series is more popular than other, and they don't support Touch ID, also you can store only one Face ID per device. not like the Touch ID (with multiple finger).
Or after certain wrong try of finger print the device will locked and you have provided Passcode, This is also one per device.
No, there's no way for you to know how many and which finger was used for biometrics, the secure enclave only lets you know if the biometric check has passed or not.

iOS Banking AES-128 End to End Encryption Implementation

I'm creating a banking application for iOS that is transferring sensitive encrypted data from an azure mobile backend to an iOS device. What is the best way to go about decrypting this data on an iOS device securely? What protocols should be used? What third party libraries / services? Are there standards for financial applications that I should be aware of?
I've heard things thrown around such as EKS encryption with SQL, SSL, RSA / Diffie Hellman encryption, AES-128 being a standard practice etc etc. Is there anything practical to implement without delving into low level C code?
SSL works for data in transit, Pin the certificate.
AES128 is fine for data at rest but the key must be good and secured.
On iOS put the key Keychain, there is no more secure method.
If you need to store a key on a server that is more of a problem keeping it secure.
Finally at a minimum use two factor authentication on the server.
My solution ended up being to use AESCrypt (github: https://github.com/Gurpartap/AESCrypt-ObjC)
This proved to be as simple as dragging the class files into XCode and calling
[AESCrypt encrypt:secret password:password];
[AESCrypt decrypt:secret password:password];
Thanks for the help! I will probably end up implementing some sort of CocoaPods supported platform later on, but this will work for now.

IOS 8 and Touch ID

Any possibility of using the finger print scanner on an ipad to simply get an image of the fingerprint without actually doing any authentication?
The OS seems to do it when you enter your finger print into the device but the only documentation I can find is for Local Authentication.
No, you can't, not even with a private API.
From: http://support.apple.com/en-us/HT5949
Touch ID doesn't store any images of your fingerprint. It stores only
a mathematical representation of your fingerprint. It isn't possible
for someone to reverse engineer your actual fingerprint image from
this mathematical representation. The chip in your device also
includes an advanced security architecture called the Secure Enclave
which was developed to protect passcode and fingerprint data.
Fingerprint data is encrypted and protected with a key available only
to the Secure Enclave. Fingerprint data is used only by the Secure
Enclave to verify that your fingerprint matches the enrolled
fingerprint data. The Secure Enclave is walled off from the rest of
the chip and the rest of iOS. Therefore, iOS and other apps never
access your fingerprint data, it's never stored on Apple servers, and
it's never backed up to iCloud or anywhere else. Only Touch ID uses
it, and it can't be used to match against other fingerprint databases.

Application-specific file encryption in iOS

I need to develop some simple demonstration of an application reading a file over HTTPS and saving it to the local memory (internal or external) of an iOS device (e.g., an iPhone), in a way that it is only accessible to it. So, application-specific file encryption is required.
The "Advanced App Tricks" page of the Apple iOS Developer Library, in the "Protecting Data Using On-Disk Encryption" section, seems to imply that a file encrypted on disk, via either Default (i.e., iOS filesystem) or "Complete" Data Protection, would be accessible by all applications, after the user types the device's lock code.
If that is the case, could someone please suggest the best way of implementing file encryption per-application on an iOS device, with a password request when a user tries to open the file? Any sample code would also be very helpful.
Also, does "software encryption" apply to iOS anymore? Both Default and Data Protection encryption seem to be hardware-based.
Thanks!
Application files are not accessible between Apps. Each App is individually sandboxed.
In all cases the document is talking about the access available to "Your App"/ It is never accessible to another App. But see below. Sone of the protection options help cover what and when "Your App" has access to the file when in the background.
JailBroken iOS devices will have greater file system access so adding "Data Protection" will protect from this vector.
See the document session on The iOS Environment and particularly the section "The App Sandbox" iOS Environment
Hardware encryption: There are a few things that hardware encryption provide. 1. Speed. 2. The encryption method can not be changed, that is as with software encryption there is no code that could be compromised. 3. The key can not be accessed. The key is in some manner placed/created in the hardware and the hardware will does not allow read access (there are occasionally very secure export capabilities). The device is asked to perform crypto functions on data and returns data. Examples of this are smart cards, HSMs, TPMs and TPM Equivalents, the iPhone has a TPM Equivalent and that is used for the Keychain. By chance my wife and I were discussing this very topic yesterday. :-)
As far as I know, for encryption of bulk data, iOS does use special hardware instructions to aid AES encryption for speed but that would not be considered hardware encryption due to the key being available in software. There is a little guessing here due to the lack of information about the Apple A-series ARM chips, it is true of the Intel chips in Macs.

Does Adobe AIR Encrypted SQLite Database access or use the encryption in Apple iOS?

We are submitting an update of our Adobe AIR created app to the Apple App Store. We wish to change our encryption status.
The app was created using AIR 3.7 and uses several Encrypted SQLite Databases and an SSL connection to our server. As a precaution we got the US BIS export notice when we first submitted the app, but during the submit process we received this notice from Apple:
French authorities have agreed to limit the regulatory approval requirements for Appleā€™s App Store apps that use, access, implement, or incorporate:
any encryption algorithm that is yet to be standardized by international standard bodies such as IEEE, IETF, ISO, ITU, ETSI, 3GPP, TIA, etc. or not otherwise published; or
standard (e.g., AES, DES, 3DES, RSA) encryption algorithm(s) instead of or in addition to accessing or using the encryption in Apple OS
Consistent with the requirement, Apple will require you to upload a copy of your approved French declaration when you submit your app to the App Store if it meets the criteria described above.
So we decided to not publish to the French app store for our first release.
We now would like to publish to France, but I am not sure if we can state that our encryption is not in addition to accessing or using the encryption in Apple OS . I have found documentation that Encrypted Local Store uses KeyChain, but not that Encrypted SQLite Database does, only that it uses AES encryption.
We do not want to apply for the French import decleration unless really necessary, as it seems like a terribly complex process, in French.
Does anyone know if Encrypted SQLite Database uses that encryption already there in iOS?
Quoting from Adobe's documentation, Considerations for using encryption with a database:
AIR database encryption uses the Advanced Encryption Standard (AES) with Counter with CBC-MAC (CCM) mode.
I can find no indication that it uses a platform-specific method on iOS.

Resources