iOS fingerprint device PIN Prompt while kSecAccessControlBiometryCurrentSet flag is set - ios

I'm working on a fingerprint Authentication using the keychain methods from iOS and can't manage to not show the pin proposal to be displayed after an error.
I'm using the flag kSecAccessControlBiometryCurrentSet which should only allow biometrics authentication.
So for the first prompt it works well and I didn't get the possibility to enter the passphrase but as soon as an authentication fails, the prompt changes and allow the user to enter his code. I would like to block this and only allow fingerprint authentification through that prompt.
There's the code I'm using: https://github.com/xavistas/cordova-plugin-touch-id/blob/noPinCode/src/ios/TouchID.m
If you have any idea, feel free to share :) !

I finally found the solution but it isn't really trivial.
You have to know that the keychain is never cleared for your application, even if you uninstall it.
So basically, if you tried one time to with a flag, let's say kSecAccessControlUserPresence, until you manually specify that you want to clear the keychain entry, this flag will stay stored.
And basically, even you if you "create the keychain token" each time the user connects to the app, it will not replace the keychain entry.
I hope it will help some of you !

Related

How to fire device PIN dialog?

I working on an app that is designed to be protected from unauthorized access (like, for instance, bank apps do). There are two protection options: by using biometrics (default one) and by user password. I wonder, what the best practices are to handle the situation when a user forget thier password.
I'm thinking to prompt user to enter device PIN in order to remind them the password, but I can't figure out how to do that.
I guess it really depends on exactly how sensible the information is and how you're currently storing/validating the password. But assuming your threat model is okay with a user being able to get access back just with the current device password, you could use the keychain API (not the friendliest of APIs) and store some kind of flag. When adding such item you would use SecAccessControlCreateFlag.devicePasscode which will always prompt the user for their iPhone passcode before accessing such entry. So say the user needs to reset it, if you're able to access the keychain entry, you know they entered the right device passcode and thus you should allow them to reset their app password. The main caveat would be that the user disabling their passcode or not having one would invalidate your flag so they would be locked out forever if they ever forget their app password. Of course there's a lot of additional nuance to the Keychain like whether the items get synced to other devices or not, when it's available, etc. but hopefully this is somewhat useful.

Swift/iOS - Use Strong Password not being saved to keychain

I am attempting to implement the autofill feature for iOS. I have followed all the steps from https://developer.apple.com/documentation/security/password_autofill. I have an associated domain, a valid apple app association file, and I have set the text content types correctly. My issue is, when I am prompted to "use strong password" by the native iOS dialog, my username/password never gets saved to the keychain. I have also validated that I have autofill on and my icloud keychain enabled. Ive also followed https://medium.com/developerinsider/ios12-password-autofill-automatic-strong-password-and-security-code-autofill-6e7db8da1810 , but still not seeing the expected behavior. By clicking use strong password, is the username/pw automatically sent to keychain or do I need to manually do something. Thanks in advance.
actually watched developer.apple.com/videos/play/wwdc2018/204/?time=31 . Turns out the issue is not removing the user/pw/confirmPw from the view hierarchy. So on my "viewWillDisappear" I am removing the fields from the hierarchy, this triggers the save to keychain.

Code sign wants to sign using key in your keychain

I want to generate my build so that I have started following steps as like, I was doing from last few years. But this time following dialog box come in front of me while I try to export the build:
I have used Google for solution of this problem and tried multiple given suggestions but still I can't able to sort out this problem.
Here is the main reference that I found on stackoverflow:
code sign wants to sign using key - Doesn't allow or always allow but deny works
But those reply not working for me so please share your suggestion with me.
There may be something funny with the Trust setting in the certificate.
Open Keychain.
Find the relevant certificate in "My Certificates". Verify it hasn't expired.
Double click to open.
Doof with the When using this certificate field. Setting it to Always Trust before building might help. You can flip it back to Use System defaults after.
Also check the settings on the Code Signing specific field. That might be wrong.
This might have happened if you pressed "Deny" at some point in the past.

Is there any way to be connected with the Dropbox SDK without having the captcha access screen each time?

I would like to be connected with the Dropbox SDK on iOS without allowing it every time. Is it possible?
I would just like the person log it with is Dropbox and password account, and that's all.
My main problem is that Dropbox is asking each time a captcha which is bugging me...
How can I avoid that captcha question?
Thanks in advance.
If you RTFM, you will have everything for your code.
https://www.dropbox.com/developers/documentation/objective-c
Check the example provided by Dropbox:
https://github.com/dropbox/dropbox-sdk-obj-c/tree/master/Examples/DBRoulette
It is probably because you ask several times the token...
The Dropbox iOS SDK will automatically store the access token that results from the app authorization flow, so you only need to send the user through the flow once.
That is, check if you already have an authorized user, and don't call authorizeFromController if so.
For reference, the captcha itself won't always be shown during login. Dropbox has an anti-abuse system that will decide if/when to show it on various factors, but that's not something you can turn on/off yourself.

How Do I Force An iOS TouchID To Re-Authorize After Each Access, or Check If It is Unlocked?

OK. I suspect I just need to be directed to the appropriate "M" for "RTFM." I'm not new to iOS, but fairly new to keychain use. I am using a good keychain wrapper called "FXKeychain."
I have an app that includes a login, with a password stored in the default keychain.
I use TouchID to validate the user and fill in the password.
In order to do this, I display a "thumbprint" button, with an IBAction handler that runs the standard code:
self.s_authenticationContext.evaluatePolicy(LAPolicy.DeviceOwnerAuthenticationWithBiometrics, localizedReason: "Yo. Gimmie ur thumb.", reply: self.touchIDCallback)
The issue is, that once it is unlocked, subsequent touches of the button, using the above, skip the alert, and simply fall through.
This is an issue because the same button is displayed, even after the user is validated. I'd like to either:
Re-lock after entering the password, so the user must re-authenticate each time (preferred), or
Display a different button image that indicates the thumbprint is no longer necessary.
That means that I need to:
Find a way to re-lock the TouchID, or
Find out if the user is unlocked.
Any ideas?
Thanks!
It is your authentication context rather than the keychain that is 'unlocked'. If you allocate a new authentication context before calling evaluatePolicy then the touchID dialog will be shown again.
You can, however, actually use touchID to authenticate access to a keychain item directly. The Apple sample code demonstrates how to do this - https://developer.apple.com/library/ios/samplecode/KeychainTouchID/Introduction/Intro.html#//apple_ref/doc/uid/TP40014530-Intro-DontLinkElementID_2

Resources