SlideShare a Scribd company logo

Demystifying Apple 'Pie' & TouchID

Sebastián Guerrero Selma
Sebastián Guerrero Selma

This document discusses Apple Pay and Touch ID security. It summarizes that Apple Pay uses tokenization to securely store payment credentials in the Secure Enclave instead of actual credit card details. Touch ID fingerprints are also stored encrypted in the Secure Enclave and are never sent to Apple. The document also demonstrates how to use debugging and hooking techniques on a jailbroken device to analyze the internals of how Apple Pay and Touch ID work.

Engineering
1 of 54
Download to read offline
Demystifying Apple”Pie”&TouchID
Disclaimer • Apple Pay research is work in progress. • Yes, a jailbroken device is required. • No 0-day vulnerabilities in this talk. • This talk is about Apple Pay internals and TouchID implementation. Download the slides from: twitter.com/0xroot
Agenda •Part I: Introduction to Apple Pay. •Part II: Demystifying Apple Pay. •Part III: Messing with runtime. •Part IV: TouchID implementation caveats.
whoami Sebas Guerrero (@0xroot) Sr. Mobile Security Analyst at NowSecure https://github.com/0xroot sguerrero@nowsecure.com
IntroductiontoApplePay
WhatisApplePay? “Mobile payments service and digital wallet app that uses NFC to initiate secure payment transactions between contactless payment terminals and Apple iOS devices.”
HowcanIuseit? • Pay in-store Purchase by just tapping the phone against a contactless POS and placing the finger on the TouchID • Pay in mobile apps Pay for items within mobile apps that support ApplePay
SE&HCE • Secure Element (SE) - Tamper-resistant platform capable of securely hosting applications and their confidential and cryptographic data in accordance with the rules and security requirements. It can be considered a chip that offers a dynamic environment to store data securely. • Host Card Emulation (HCE) - Assumes that any data stored on a handset is vulnerable and therefore restricts the storage of sensitive data to host or ‘cloud’ databases, managed to a high security standard. Preventing unauthorized access depends on four pillars: limited use key, tokens, device fingerprinting and transaction risk analysis.
DemystifyingApplePay
WhatcomposesApplePay? SEnclave &TouchID ApplePay Servers Passbook Secure Element NFC Controller
WhatisstoredintheSE? “Every time a consumer adds a credit card to the Passbook application, the real payment credentials like the PAN, Expiration Date, CVV, etc. are not stored into the SE. Apple Pay instead stores a token and some associated data inside the SE.”
Whatisthetokenused? “We can consider a token like a fake credit card number. Which is de-tokenized before being transmitted on to the Issuer for authorization. The Acquirer is the responsible for tokenization and de- tokenization. But, Apple Pay uses the standard created by EMVCo, being the payment network the one that performs de-tokenization.”
Howarethetokensprovided? Customer Apple Pay Apple Pay Servers Issuer Bank Token Service Provider Secure Element Credit card PAN / Exp. Date / CVV PAN / Exp. Date / CVV Token / Token-key PAN / Exp. Date / CVV Token / Token-key / cvv-key Token / Token-key / cvv-key - token-key will be used to generate a dynamic cryptogram - cvv-key will be used to generate a dynamic security code
Paymenttokenformat PKPaymentToken Object Transaction ID Payment Network PaymentToken Data Signature Header Encrypted Payment Data Amount Cardholder name …. Payment Processing Data Top-Level Structure Key Value Description data Payment data dictionary, Base64 encoded as string Encrypted Payment Data header Header dictionary Additional information used to decrypt and verify the payment. signature Detached PKCS #7 signature, Base64 encoded as string Signature of the payment and header data. version String Version information about the payment token.
Paymenttokenformat Payment Data Keys Key Value Description applicationPrimaryAccount Number string Device-specific account number of the card that funds this transaction. applicationExpirationDate date (string) Card expiration date in the format YYMMDD. currencyCode string ISO 4217 numeric currency code. transactionAmount number Transaction amount. Key Value Description cardholderName string Cardholder name. deviceManufacturerIdentifi er string Hex-encoded device manufacturer identifier. paymentDataType string Either ‘3DSecure’ or ‘EMV’. paymentData payment data dictionary Detailed payment data
Interceptingpaymentoperations “According to EMV standard, during a payment operation, sensitive information like card-holder name, credit card number, expiration date and cvv are transmitted.” proxmark3> hf 14a list Recorded Activity Start | End | Src | Data —---------|-----------|-----|-------- 0 | 992 | Rdr | 52 298272 | 299264 | Rdr | 52 596560 | 597552 | Rdr | 52 894832 | 895824 | Rdr | 52 1193120 | 1194112 | Rdr | 52 1491392 | 1492384 | Rdr | 52 1789680 | 1790672 | Rdr | 52 2087952 | 2088944 | Rdr | 52 2386240 | 2387232 | Rdr | 52 2684496 | 2685488 | Rdr | 52 2982800 | 2983792 | Rdr | 52 3281088 | 3282080 | Rdr | 52 3579360 | 3580352 | Rdr | 52 …
Tokende-tokenization { "data":“2DzU9u6byIY4qCs3lW4KgK3JWC6Ac+x…..……WkFco=“, "header": { "ephemeralPublicKey":“MFkwEwYHKoZIzj0…………bA==“, "publicKeyHash": "spzGX6upCJhx5UD8vCo1+LcIi7+fkxEUaVmhbX18cJM=", "transactionId": "79ccd07eb432f80067d8e5bbc4c38ee1def7fcc1827f6ba5b63bf47b283ebf89" }, "signature":“MIAGCSqGSIb3DQEHAqtNGjj9I………….AAAAAAAA=“, "version": "EC_v1" } { "applicationExpirationDate": "190131", "applicationPrimaryAccountNumber": "370295XXXXX5435", "currencyCode": "840", "deviceManufacturerIdentifier": "XXXXXXXXXX", "paymentData": { "emvData":“nycBgJ82AgDCnyYIG2vuQydGkMafEA…….Lnvab4=“ }, "paymentDataType": "EMV", "transactionAmount": 100 } Github: applepay_crypto_demo
Whathappensinapayment? “Each transaction is authorized with a one-time unique number using your Device Account Number and instead of using the security code from the back of your card, Apple Pay creates a dynamic security code to securely validate each transaction.” - From the press release The Device Account Number represents the Token, the One-time Unique Number represents the dynamic cryptogram and the Dynamic Security Code represents the dynamic CVV
SecureEnclave • Part of the A7 and A8 chips used for Touch ID. According to Apple, within the Secure Enclave, the fingerprint data is stored in an encrypted form which can only be decrypted by a key available by the SecureEnclave thus making fingerprint data walled off from the rest of A7/A8 chip. • It’s a flashable 4MB processor named the Secure Enclave Processor (SEP). • It contains its own OS called SEP OS and there is an utility called SEPUtil that can be used to communicate with it. • It’s contained in the ramdisk of H7SURamDisk.dmg which is located in /usr/standalone/ update/ramdisk and there in /usr/libexec. • Is necessary to strip off the first 0x1b (27) bytes to make the DMG readable. RootǝdCON
SecureEnclave • We believe that all the information being stored in the SecureEnclave is erased once the device is turned off. • Inside biometrickitd we find at memory address ‘000000010001DD3C’ a ‘bl sub_10001376c’ instruction. Such method is the one used to upload all the information to the SecureEnclave. • Probably a good starter point to figure out how things work in the SecureEnclave. RootǝdCON
Messingwithruntime
TouchID “Fingerprint recognition feature, designed by Apple and available on the iPhone 5S, 6 and 6+. Which has as purpose to allow users to unlock their device, as well as make purchases in the various Apple stores and to authenticate Apple Pay online or in apps.”
TouchIDProcess Sense for scannable object Scan object Construct input map based on scan results Construct lower resolution input pattern Provide input pattern and template pattern Run match comparisons of input pattern and template pattern Provide identity of possible match results Run match comparison of input map with possible match identities Provide result
Whathappensunderthehood • First Obstacle What is happening at filesystem level when the user interacts with the TouchID component and a new fingerprint is added/removed into/from the system? • Workaround FileMon utility, made by J. Levin, into steroids thanks to Pancake. Lets the user to peek behind the scenes what iOS Daemons are doing. • Goal We obtain the binaries involved and their operations performed when the Apple Pay technology or TouchID component are used.
Identifyingbinaries • SpringBoard framework binary generates sort of interesting images. • biometrickitd daemon creates and modifies the content of a file called TemplateList.cat [E] Error copying /tmp/_private_var_root_Library_Catacomb_TemplateList.cat.tmp
Overridingunlink carapene:~ root# cycript -p PID cy# @import com.saurik.substrate.MS cy# unlink = dlsym(RTLD_DEFAULT,“unlink") cy# unlink = @encode(void *(char *, char *))(unlink) cy# var oldu = {} cy# var log = [] cy# MS.hookFunction(unlink, function(path){ cy> log.push([path]); cy> return 0; cy> }, oldu) • Second Obstacle Unlink method avoid us from copying the resource, since it removes the link named by the path parameter from its directory right after before we can copy it. • Workaround Override its implementation and return always false. • Goal Obtain a copy of the files generated.
dyld_shared_cache • Third Obstacle Since iPhoneOS 3.1 all default (private and public) libraries have been compiled into a big cache file. All binaries or libraries from /System/Library/ Frameworks and /System/Library/PrivateFrameworks are now located in / System/Library/Caches/com.apple.dyld/dyld_shared_cache_armX • Workaround Makes use of jtool utility, extracting a specific binary from the cache, or dumping all the binaries at once. • Goal Access to all the binaries, and the ability to dump their classes/methods and RE their source code. jtool -extract UIKit path/to/dyld_shared_cache jtool -lv cache_armv7 | cut -c 24- | tail +5 | while read line ; do jtool -extract $line cache_armv7 ; done
Putyourseat-belt • Fourth Obstacle The binary contains in its entitlement the sandbox profile ‘seat-belt’, which is a kernel extension that restricts a set of features from being used for some processes. • Workaround Use ldid utility to extract the entitlements and modify the ‘seat-belt’ field of a binary. • Goal The ability to attach cycript to the process and dump the information from the variables and modify its behavior at runtime <key>seatbelt-profiles</key> <array> <string>seld</string> </array> <key>tlebtaes-profiles</key> <array> <string>seld</string> </array> ThugLife
TouchIDSecurity “The resulting map of nodes is stored without any identity information in an encrypted format that can only be read by the Secure Enclave, and is never sent to Apple or backed up to iCloud or iTunes.” Partially true
EnablingTouchIDDebugLog • biometrickitd binary contains a string reference to ‘/var/mobile/Library/Logs/ CrashReporter/BioLog’. Such file is generated by the class ‘BioLog’ which is disabled by default • Save the following ‘com.apple.biometrickitd.plist’ file under the ‘/Library/Managed Preferences/ mobile/‘ path. <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>debugLogEnabled</key> <true/> </dict> </plist>
EnablingTouchIDDebugLog
EnablingTouchIDDebugLog
Binaries&methods • iOS 8.0 headers available at: http://developer.limneos.net/ • Most interesting binaries: • Biometric operations - BiometricKit.framework, biometrickitd, Preferences.app • NFC Controller - nfcd, NearField.framework, libnfshared.dylib, PN548_HAL.dylib, PN548_API.dylib, PN548.dylib • Secure enclave - seld, seputil binary (https://theiphonewiki.com/wiki/ Seputil)
BiometricKitIdentity Represents the enrolled fingerprints on the device. Properties for the user-defined name and UUID are available.
BLTemplateList Retrieves the template associated to each identity enrolled into the device
TemplateInfo Retrieves information associated to each Template that represents the fingerprint.
BioLogBase Contains all the logs dumped for the TouchID component
BiometricKitXPCServer
TemplateList.cat • Located at /private/var/root/Library/Catacomb/ TemplateList.cat • Is the template that contains all the information about the fingerprints added into the system. • Some information is readable, but most interesting one is Base64 encoded and encrypted (?)
TemplateList.cat
GottaCatch’emall! • decodeCatacombDataV1 • pullDebugImageData • pullImageMetadata • pullMatchTopologyData • setAppleMesaSEPLoggingLevel • getData / readBinary / getApplications / getCertificates • decodeRootSecurityDomainResponse / dumpAppData
TouchIDimplementationcaveats
LocalAuthentication Application LocalAuthentication TouchID Cred. Management User Space Operating System Secure Enclave
LASecurity • LocalAuthentication Trust the OS • Keychain Trust the Secure Enclave No direct access to secure enclave No access to registered fingers No access to fingerprint image
• Shared Libraries Check with Otool if LocalAuthentication.framework is present. • canEvaluatePolicy Preflights an authentication policy to see if its possible for authentication to succeed. • evaluatePolicy Evaluates the specified policy. Block that evaluates a boolean statement. • Policy LAPolicyDeviceOwnerAuthenticationWithBiometrics No passcode authentication Fallback to application’s own password entry UI LocalAuthenticationAPI
TouchIDAuthentication - (void)evaluatePolicy { LAContext *context = [[LAContext alloc] init]; __block NSString *msg; // show the authentication UI with our reason string [context evaluatePolicy:LAPolicyDeviceOwnerAuthenticationWithBiometrics localizedReason:NSLocalizedString(@“8=====D~", nil) reply: ^(BOOL success, NSError *authenticationError) { if (success) { msg =[NSString stringWithFormat:NSLocalizedString(@"EVALUATE_POLICY_SUCCESS", nil)]; } else { msg = [NSString stringWithFormat:NSLocalizedString(@"EVALUATE_POLICY_WITH_ERROR", nil), authenticationError.localizedDescription]; } [self printResult:self.textView message:msg]; }]; }
TangoDown carapene:~ root# cycript -p PID cy# @import com.saurik.substrate.MS cy# var oldm = {} cy# MS.hookMessage(LAContext, @selector(evaluatePolicy:localizedReason:reply:), function(self, reason, block) { block(YES, nil); }, oldm);
Demo#1
What’soutthere?
Tamperingthebinary NOP ALL THE THINGS
Demo#2
ItsMagic
• ApplePay technology is pretty solid, and well structure, maybe not all the statements made by Apple are true, but the global security deployed is robust. • A jailbroken device is required to at least scratch the surface, and even with that, the information obtained is not highly sensitive. • TouchID integration works better with Keychain ACLs, the integration with LocalAuthentication.framework is not recommended to protect your assets. Conclusions
ThankYou special thanks to @abelenko, @trufae (pancake), @revskills (F. Alonso) and J. Levin (@technologeeks) Sebas Guerrero @0xroot sguerrero@nowsecure.com

Recommended

NETCONF YANG tutorial
NETCONF YANG tutorialNETCONF YANG tutorial
NETCONF YANG tutorial
Tail-f Systems
 
Orchestration in Action
Orchestration in ActionOrchestration in Action
Orchestration in Action
Ericsson
 
Module 3: NETCONF and YANG Concepts
Module 3: NETCONF and YANG ConceptsModule 3: NETCONF and YANG Concepts
Module 3: NETCONF and YANG Concepts
Tail-f Systems
 
4 G mobile technology
4 G mobile technology4 G mobile technology
4 G mobile technology
Aman Jain
 
Reducing Energy Consumption in LTE with Cell DTX
Reducing Energy Consumption in LTE with Cell DTX Reducing Energy Consumption in LTE with Cell DTX
Reducing Energy Consumption in LTE with Cell DTX
Prashant Panigrahi
 
Beginners: 5G: A simple explanation
Beginners: 5G: A simple explanationBeginners: 5G: A simple explanation
Beginners: 5G: A simple explanation
3G4G
 
Java notes jkuat it
Java notes jkuat itJava notes jkuat it
Java notes jkuat it
Arc Keepers Solutions
 
Book: Software Architecture and Decision-Making
Book: Software Architecture and Decision-MakingBook: Software Architecture and Decision-Making
Book: Software Architecture and Decision-Making
Srinath Perera
 

Recommended

NETCONF YANG tutorial
NETCONF YANG tutorialNETCONF YANG tutorial
NETCONF YANG tutorial
Tail-f Systems
 
Orchestration in Action
Orchestration in ActionOrchestration in Action
Orchestration in Action
Ericsson
 
Module 3: NETCONF and YANG Concepts
Module 3: NETCONF and YANG ConceptsModule 3: NETCONF and YANG Concepts
Module 3: NETCONF and YANG Concepts
Tail-f Systems
 
4 G mobile technology
4 G mobile technology4 G mobile technology
4 G mobile technology
Aman Jain
 
Reducing Energy Consumption in LTE with Cell DTX
Reducing Energy Consumption in LTE with Cell DTX Reducing Energy Consumption in LTE with Cell DTX
Reducing Energy Consumption in LTE with Cell DTX
Prashant Panigrahi
 
Beginners: 5G: A simple explanation
Beginners: 5G: A simple explanationBeginners: 5G: A simple explanation
Beginners: 5G: A simple explanation
3G4G
 
Java notes jkuat it
Java notes jkuat itJava notes jkuat it
Java notes jkuat it
Arc Keepers Solutions
 
Book: Software Architecture and Decision-Making
Book: Software Architecture and Decision-MakingBook: Software Architecture and Decision-Making
Book: Software Architecture and Decision-Making
Srinath Perera
 
HCSA-Sales-Transmission & Access_2.pdf
HCSA-Sales-Transmission & Access_2.pdfHCSA-Sales-Transmission & Access_2.pdf
HCSA-Sales-Transmission & Access_2.pdf
YuleonardiPutra
 
cours
courscours
cours
houizot
 
Entel SAP on Huawei Cloud.pdf
Entel SAP on Huawei Cloud.pdfEntel SAP on Huawei Cloud.pdf
Entel SAP on Huawei Cloud.pdf
ArielRodriguezSolis1
 
Ccna (200 125)
Ccna (200 125)Ccna (200 125)
Ccna (200 125)
shajeeha khalid
 
CCNA RS_ITN - Chapter 1
CCNA RS_ITN - Chapter 1CCNA RS_ITN - Chapter 1
CCNA RS_ITN - Chapter 1
Irsandi Hasan
 
Cisco Live! :: Carrier Ethernet 2.0 :: BRKSPG-2720 | Las Vegas July/2016
Cisco Live! :: Carrier Ethernet 2.0 :: BRKSPG-2720 | Las Vegas July/2016Cisco Live! :: Carrier Ethernet 2.0 :: BRKSPG-2720 | Las Vegas July/2016
Cisco Live! :: Carrier Ethernet 2.0 :: BRKSPG-2720 | Las Vegas July/2016
Bruno Teixeira
 
4 manual iogurteira-valente-dona-nilza
4 manual iogurteira-valente-dona-nilza4 manual iogurteira-valente-dona-nilza
4 manual iogurteira-valente-dona-nilzaMiguel Eletricista
 
Brk 135 t-ccna_switching
Brk 135 t-ccna_switchingBrk 135 t-ccna_switching
Brk 135 t-ccna_switching
parthasn83
 
Huawei 5G Overview.pdf
Huawei 5G Overview.pdfHuawei 5G Overview.pdf
Huawei 5G Overview.pdf
MuthuramanElangovan
 
Wi-Fi and Wi-max
Wi-Fi and Wi-maxWi-Fi and Wi-max
Wi-Fi and Wi-maxSourabhJeurkar
 
Emerging role of it within the SA mining industry
Emerging role of it within the SA mining industryEmerging role of it within the SA mining industry
Emerging role of it within the SA mining industry
James AH Campbell
 
A 30-minute Introduction to NETCONF and YANG
A 30-minute Introduction to NETCONF and YANGA 30-minute Introduction to NETCONF and YANG
A 30-minute Introduction to NETCONF and YANG
Tail-f Systems
 
Wireless vs mobile computing
Wireless vs mobile computingWireless vs mobile computing
Wireless vs mobile computing
aazeem689
 
Xcap
XcapXcap
Xcap
saurabhad
 
Usability vs. Security: Find the Right Balance in Mobile Apps
Usability vs. Security: Find the Right Balance in Mobile AppsUsability vs. Security: Find the Right Balance in Mobile Apps
Usability vs. Security: Find the Right Balance in Mobile Apps
Josiah Renaudin
 
NFC attacks
NFC attacksNFC attacks
NFC attacksPeter Swedin
 
Apple Pay
Apple PayApple Pay
Apple Pay
Nguyet Bui
 
Вадим Дробинин. Защищаем себя и пользователей: руководство по безопасности
Вадим Дробинин. Защищаем себя и пользователей: руководство по безопасностиВадим Дробинин. Защищаем себя и пользователей: руководство по безопасности
Вадим Дробинин. Защищаем себя и пользователей: руководство по безопасности
AvitoTech
 
Jamie Bowser - A Touch(ID) of iOS Security
Jamie Bowser - A Touch(ID) of iOS SecurityJamie Bowser - A Touch(ID) of iOS Security
Jamie Bowser - A Touch(ID) of iOS Security
centralohioissa
 
Apple pay
Apple payApple pay
Apple pay
Helal Al-Helal
 
Apple Pay
Apple PayApple Pay
Apple Pay
Chitpong Wuttanan
 
Кортунов Никита. Как ускорить разработку приложений или есть ли жизнь после P...
Кортунов Никита. Как ускорить разработку приложений или есть ли жизнь после P...Кортунов Никита. Как ускорить разработку приложений или есть ли жизнь после P...
Кортунов Никита. Как ускорить разработку приложений или есть ли жизнь после P...
AvitoTech
 

More Related Content

What's hot

HCSA-Sales-Transmission & Access_2.pdf
HCSA-Sales-Transmission & Access_2.pdfHCSA-Sales-Transmission & Access_2.pdf
HCSA-Sales-Transmission & Access_2.pdf
YuleonardiPutra
 
cours
courscours
cours
houizot
 
Entel SAP on Huawei Cloud.pdf
Entel SAP on Huawei Cloud.pdfEntel SAP on Huawei Cloud.pdf
Entel SAP on Huawei Cloud.pdf
ArielRodriguezSolis1
 
Ccna (200 125)
Ccna (200 125)Ccna (200 125)
Ccna (200 125)
shajeeha khalid
 
CCNA RS_ITN - Chapter 1
CCNA RS_ITN - Chapter 1CCNA RS_ITN - Chapter 1
CCNA RS_ITN - Chapter 1
Irsandi Hasan
 
Cisco Live! :: Carrier Ethernet 2.0 :: BRKSPG-2720 | Las Vegas July/2016
Cisco Live! :: Carrier Ethernet 2.0 :: BRKSPG-2720 | Las Vegas July/2016Cisco Live! :: Carrier Ethernet 2.0 :: BRKSPG-2720 | Las Vegas July/2016
Cisco Live! :: Carrier Ethernet 2.0 :: BRKSPG-2720 | Las Vegas July/2016
Bruno Teixeira
 
4 manual iogurteira-valente-dona-nilza
4 manual iogurteira-valente-dona-nilza4 manual iogurteira-valente-dona-nilza
4 manual iogurteira-valente-dona-nilzaMiguel Eletricista
 
Brk 135 t-ccna_switching
Brk 135 t-ccna_switchingBrk 135 t-ccna_switching
Brk 135 t-ccna_switching
parthasn83
 
Huawei 5G Overview.pdf
Huawei 5G Overview.pdfHuawei 5G Overview.pdf
Huawei 5G Overview.pdf
MuthuramanElangovan
 
Emerging role of it within the SA mining industry
Emerging role of it within the SA mining industryEmerging role of it within the SA mining industry
Emerging role of it within the SA mining industry
James AH Campbell
 
A 30-minute Introduction to NETCONF and YANG
A 30-minute Introduction to NETCONF and YANGA 30-minute Introduction to NETCONF and YANG
A 30-minute Introduction to NETCONF and YANG
Tail-f Systems
 
Wireless vs mobile computing
Wireless vs mobile computingWireless vs mobile computing
Wireless vs mobile computing
aazeem689
 
Xcap
XcapXcap
Xcap
saurabhad
 

What's hot (14)

HCSA-Sales-Transmission & Access_2.pdf
HCSA-Sales-Transmission & Access_2.pdfHCSA-Sales-Transmission & Access_2.pdf
HCSA-Sales-Transmission & Access_2.pdf
 
cours
courscours
cours
 
Entel SAP on Huawei Cloud.pdf
Entel SAP on Huawei Cloud.pdfEntel SAP on Huawei Cloud.pdf
Entel SAP on Huawei Cloud.pdf
 
Ccna (200 125)
Ccna (200 125)Ccna (200 125)
Ccna (200 125)
 
CCNA RS_ITN - Chapter 1
CCNA RS_ITN - Chapter 1CCNA RS_ITN - Chapter 1
CCNA RS_ITN - Chapter 1
 
Cisco Live! :: Carrier Ethernet 2.0 :: BRKSPG-2720 | Las Vegas July/2016
Cisco Live! :: Carrier Ethernet 2.0 :: BRKSPG-2720 | Las Vegas July/2016Cisco Live! :: Carrier Ethernet 2.0 :: BRKSPG-2720 | Las Vegas July/2016
Cisco Live! :: Carrier Ethernet 2.0 :: BRKSPG-2720 | Las Vegas July/2016
 
4 manual iogurteira-valente-dona-nilza
4 manual iogurteira-valente-dona-nilza4 manual iogurteira-valente-dona-nilza
4 manual iogurteira-valente-dona-nilza
 
Brk 135 t-ccna_switching
Brk 135 t-ccna_switchingBrk 135 t-ccna_switching
Brk 135 t-ccna_switching
 
Huawei 5G Overview.pdf
Huawei 5G Overview.pdfHuawei 5G Overview.pdf
Huawei 5G Overview.pdf
 
Wi-Fi and Wi-max
Wi-Fi and Wi-maxWi-Fi and Wi-max
Wi-Fi and Wi-max
 
Emerging role of it within the SA mining industry
Emerging role of it within the SA mining industryEmerging role of it within the SA mining industry
Emerging role of it within the SA mining industry
 
A 30-minute Introduction to NETCONF and YANG
A 30-minute Introduction to NETCONF and YANGA 30-minute Introduction to NETCONF and YANG
A 30-minute Introduction to NETCONF and YANG
 
Wireless vs mobile computing
Wireless vs mobile computingWireless vs mobile computing
Wireless vs mobile computing
 
Xcap
XcapXcap
Xcap
 

Viewers also liked

Usability vs. Security: Find the Right Balance in Mobile Apps
Usability vs. Security: Find the Right Balance in Mobile AppsUsability vs. Security: Find the Right Balance in Mobile Apps
Usability vs. Security: Find the Right Balance in Mobile Apps
Josiah Renaudin
 
Apple Pay
Apple PayApple Pay
Apple Pay
Nguyet Bui
 
Вадим Дробинин. Защищаем себя и пользователей: руководство по безопасности
Вадим Дробинин. Защищаем себя и пользователей: руководство по безопасностиВадим Дробинин. Защищаем себя и пользователей: руководство по безопасности
Вадим Дробинин. Защищаем себя и пользователей: руководство по безопасности
AvitoTech
 
Jamie Bowser - A Touch(ID) of iOS Security
Jamie Bowser - A Touch(ID) of iOS SecurityJamie Bowser - A Touch(ID) of iOS Security
Jamie Bowser - A Touch(ID) of iOS Security
centralohioissa
 
Apple pay
Apple payApple pay
Apple pay
Helal Al-Helal
 
Apple Pay
Apple PayApple Pay
Apple Pay
Chitpong Wuttanan
 
Кортунов Никита. Как ускорить разработку приложений или есть ли жизнь после P...
Кортунов Никита. Как ускорить разработку приложений или есть ли жизнь после P...Кортунов Никита. Как ускорить разработку приложений или есть ли жизнь после P...
Кортунов Никита. Как ускорить разработку приложений или есть ли жизнь после P...
AvitoTech
 
Андрей Юткин. Media Picker — to infinity and beyond
Андрей Юткин. Media Picker — to infinity and beyondАндрей Юткин. Media Picker — to infinity and beyond
Андрей Юткин. Media Picker — to infinity and beyond
AvitoTech
 
iOS secure app development
iOS secure app developmentiOS secure app development
iOS secure app development
Dusan Klinec
 
[Case study] Apple Pay, the first French users go to the till
[Case study] Apple Pay, the first French users go to the till [Case study] Apple Pay, the first French users go to the till
[Case study] Apple Pay, the first French users go to the till
Dynvibe
 
2014.10 apple pay webinar (2)
2014.10 apple pay webinar (2)2014.10 apple pay webinar (2)
2014.10 apple pay webinar (2)
Masabi
 
Apple Pay & its potential impact on the Australasian market
Apple Pay & its potential impact on the Australasian marketApple Pay & its potential impact on the Australasian market
Apple Pay & its potential impact on the Australasian market
William Belle
 
Mobile Security Qualcom mr. patrick tsie - qualcomm
Mobile Security Qualcom mr. patrick tsie - qualcommMobile Security Qualcom mr. patrick tsie - qualcomm
Mobile Security Qualcom mr. patrick tsie - qualcomm
Tien Hoang
 
A quick ONE PAGE Business Plan Template
A quick ONE PAGE Business Plan TemplateA quick ONE PAGE Business Plan Template
A quick ONE PAGE Business Plan Template
Kameel Vohra
 
Apple Pay's Uncopyable Business Model
Apple Pay's Uncopyable Business ModelApple Pay's Uncopyable Business Model
Apple Pay's Uncopyable Business Model
Strategyzer
 
iOS Hacking: Advanced Pentest & Forensic Techniques
iOS Hacking: Advanced Pentest & Forensic TechniquesiOS Hacking: Advanced Pentest & Forensic Techniques
iOS Hacking: Advanced Pentest & Forensic Techniques
Ömer Coşkun
 
Mobile payment
Mobile paymentMobile payment
Mobile payment
Software Park Thailand
 
From Idea to Business with Lean Startup & the Progress Board
From Idea to Business with Lean Startup & the Progress Board From Idea to Business with Lean Startup & the Progress Board
From Idea to Business with Lean Startup & the Progress Board
Strategyzer
 
Apple Pay's Obvious Value Proposition
Apple Pay's Obvious Value PropositionApple Pay's Obvious Value Proposition
Apple Pay's Obvious Value Proposition
Strategyzer
 

Viewers also liked (20)

Usability vs. Security: Find the Right Balance in Mobile Apps
Usability vs. Security: Find the Right Balance in Mobile AppsUsability vs. Security: Find the Right Balance in Mobile Apps
Usability vs. Security: Find the Right Balance in Mobile Apps
 
NFC attacks
NFC attacksNFC attacks
NFC attacks
 
Apple Pay
Apple PayApple Pay
Apple Pay
 
Вадим Дробинин. Защищаем себя и пользователей: руководство по безопасности
Вадим Дробинин. Защищаем себя и пользователей: руководство по безопасностиВадим Дробинин. Защищаем себя и пользователей: руководство по безопасности
Вадим Дробинин. Защищаем себя и пользователей: руководство по безопасности
 
Jamie Bowser - A Touch(ID) of iOS Security
Jamie Bowser - A Touch(ID) of iOS SecurityJamie Bowser - A Touch(ID) of iOS Security
Jamie Bowser - A Touch(ID) of iOS Security
 
Apple pay
Apple payApple pay
Apple pay
 
Apple Pay
Apple PayApple Pay
Apple Pay
 
Кортунов Никита. Как ускорить разработку приложений или есть ли жизнь после P...
Кортунов Никита. Как ускорить разработку приложений или есть ли жизнь после P...Кортунов Никита. Как ускорить разработку приложений или есть ли жизнь после P...
Кортунов Никита. Как ускорить разработку приложений или есть ли жизнь после P...
 
Андрей Юткин. Media Picker — to infinity and beyond
Андрей Юткин. Media Picker — to infinity and beyondАндрей Юткин. Media Picker — to infinity and beyond
Андрей Юткин. Media Picker — to infinity and beyond
 
iOS secure app development
iOS secure app developmentiOS secure app development
iOS secure app development
 
[Case study] Apple Pay, the first French users go to the till
[Case study] Apple Pay, the first French users go to the till [Case study] Apple Pay, the first French users go to the till
[Case study] Apple Pay, the first French users go to the till
 
2014.10 apple pay webinar (2)
2014.10 apple pay webinar (2)2014.10 apple pay webinar (2)
2014.10 apple pay webinar (2)
 
Apple Pay & its potential impact on the Australasian market
Apple Pay & its potential impact on the Australasian marketApple Pay & its potential impact on the Australasian market
Apple Pay & its potential impact on the Australasian market
 
Mobile Security Qualcom mr. patrick tsie - qualcomm
Mobile Security Qualcom mr. patrick tsie - qualcommMobile Security Qualcom mr. patrick tsie - qualcomm
Mobile Security Qualcom mr. patrick tsie - qualcomm
 
A quick ONE PAGE Business Plan Template
A quick ONE PAGE Business Plan TemplateA quick ONE PAGE Business Plan Template
A quick ONE PAGE Business Plan Template
 
Apple Pay's Uncopyable Business Model
Apple Pay's Uncopyable Business ModelApple Pay's Uncopyable Business Model
Apple Pay's Uncopyable Business Model
 
iOS Hacking: Advanced Pentest & Forensic Techniques
iOS Hacking: Advanced Pentest & Forensic TechniquesiOS Hacking: Advanced Pentest & Forensic Techniques
iOS Hacking: Advanced Pentest & Forensic Techniques
 
Mobile payment
Mobile paymentMobile payment
Mobile payment
 
From Idea to Business with Lean Startup & the Progress Board
From Idea to Business with Lean Startup & the Progress Board From Idea to Business with Lean Startup & the Progress Board
From Idea to Business with Lean Startup & the Progress Board
 
Apple Pay's Obvious Value Proposition
Apple Pay's Obvious Value PropositionApple Pay's Obvious Value Proposition
Apple Pay's Obvious Value Proposition
 

Similar to Demystifying Apple 'Pie' & TouchID

Creating an In-Aisle Purchasing System from Scratch
Creating an In-Aisle Purchasing System from ScratchCreating an In-Aisle Purchasing System from Scratch
Creating an In-Aisle Purchasing System from Scratch
Jonathan LeBlanc
 
ZeroNights: Automating iOS blackbox security scanning
ZeroNights: Automating iOS blackbox security scanningZeroNights: Automating iOS blackbox security scanning
ZeroNights: Automating iOS blackbox security scanning
Mikhail Sosonkin
 
Zeronights 2016 - Automating iOS blackbox security scanning
Zeronights 2016 - Automating iOS blackbox security scanningZeronights 2016 - Automating iOS blackbox security scanning
Zeronights 2016 - Automating iOS blackbox security scanning
Synack
 
DEFCON-21-Koscher-Butler-The-Secret-Life-of-SIM-Cards-Updated.pdf
DEFCON-21-Koscher-Butler-The-Secret-Life-of-SIM-Cards-Updated.pdfDEFCON-21-Koscher-Butler-The-Secret-Life-of-SIM-Cards-Updated.pdf
DEFCON-21-Koscher-Butler-The-Secret-Life-of-SIM-Cards-Updated.pdf
Wlamir Molinari
 
Mobile Security Assessment: 101
Mobile Security Assessment: 101Mobile Security Assessment: 101
Mobile Security Assessment: 101
wireharbor
 
eSmartlock - an antipiracy dongle with integrated DRM functionalities
eSmartlock - an antipiracy dongle with integrated DRM functionalitieseSmartlock - an antipiracy dongle with integrated DRM functionalities
eSmartlock - an antipiracy dongle with integrated DRM functionalities
Yiannis Hatzopoulos
 
Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...
Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...
Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...
Priyanka Aash
 
Automated malware analysis
Automated malware analysisAutomated malware analysis
Automated malware analysis
Ibrahim Baliç
 
Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'
Jen Andre
 
[CB16] BLE authentication design challenges on smartphone controlled IoT devi...
[CB16] BLE authentication design challenges on smartphone controlled IoT devi...[CB16] BLE authentication design challenges on smartphone controlled IoT devi...
[CB16] BLE authentication design challenges on smartphone controlled IoT devi...
CODE BLUE
 
EthereumBlockchainMarch3 (1).pptx
EthereumBlockchainMarch3 (1).pptxEthereumBlockchainMarch3 (1).pptx
EthereumBlockchainMarch3 (1).pptx
WijdenBenothmen1
 
Exploring Your Apple M1 devices with Open Source Tools
Exploring Your Apple M1 devices with Open Source ToolsExploring Your Apple M1 devices with Open Source Tools
Exploring Your Apple M1 devices with Open Source Tools
Koan-Sin Tan
 
Security's Once and Future King
Security's Once and Future KingSecurity's Once and Future King
Security's Once and Future King
Kapil Sachdeva
 
Positive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-raysPositive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-raysqqlan
 
Interoperability and APIs in OpenStack
Interoperability and APIs in OpenStackInteroperability and APIs in OpenStack
Interoperability and APIs in OpenStackpiyush_harsh
 
[HES2013] Hacking apple accessories to pown iDevices – Wake up Neo! Your phon...
[HES2013] Hacking apple accessories to pown iDevices – Wake up Neo! Your phon...[HES2013] Hacking apple accessories to pown iDevices – Wake up Neo! Your phon...
[HES2013] Hacking apple accessories to pown iDevices – Wake up Neo! Your phon...
Hackito Ergo Sum
 
CONFidence 2017: Hacking Card Emulation - how to clone any Android HCE contac...
CONFidence 2017: Hacking Card Emulation - how to clone any Android HCE contac...CONFidence 2017: Hacking Card Emulation - how to clone any Android HCE contac...
CONFidence 2017: Hacking Card Emulation - how to clone any Android HCE contac...
PROIDEA
 
Webinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical AppsWebinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical Apps
Synopsys Software Integrity Group
 
mDevCamp 2016 - Zingly, or how to design multi-banking app
mDevCamp 2016 - Zingly, or how to design multi-banking appmDevCamp 2016 - Zingly, or how to design multi-banking app
mDevCamp 2016 - Zingly, or how to design multi-banking app
Petr Dvorak
 
DEF CON 27 - workshop - RICHARD GOLD - mind the gap
DEF CON 27 - workshop - RICHARD GOLD - mind the gapDEF CON 27 - workshop - RICHARD GOLD - mind the gap
DEF CON 27 - workshop - RICHARD GOLD - mind the gap
Felipe Prado
 

Similar to Demystifying Apple 'Pie' & TouchID (20)

Creating an In-Aisle Purchasing System from Scratch
Creating an In-Aisle Purchasing System from ScratchCreating an In-Aisle Purchasing System from Scratch
Creating an In-Aisle Purchasing System from Scratch
 
ZeroNights: Automating iOS blackbox security scanning
ZeroNights: Automating iOS blackbox security scanningZeroNights: Automating iOS blackbox security scanning
ZeroNights: Automating iOS blackbox security scanning
 
Zeronights 2016 - Automating iOS blackbox security scanning
Zeronights 2016 - Automating iOS blackbox security scanningZeronights 2016 - Automating iOS blackbox security scanning
Zeronights 2016 - Automating iOS blackbox security scanning
 
DEFCON-21-Koscher-Butler-The-Secret-Life-of-SIM-Cards-Updated.pdf
DEFCON-21-Koscher-Butler-The-Secret-Life-of-SIM-Cards-Updated.pdfDEFCON-21-Koscher-Butler-The-Secret-Life-of-SIM-Cards-Updated.pdf
DEFCON-21-Koscher-Butler-The-Secret-Life-of-SIM-Cards-Updated.pdf
 
Mobile Security Assessment: 101
Mobile Security Assessment: 101Mobile Security Assessment: 101
Mobile Security Assessment: 101
 
eSmartlock - an antipiracy dongle with integrated DRM functionalities
eSmartlock - an antipiracy dongle with integrated DRM functionalitieseSmartlock - an antipiracy dongle with integrated DRM functionalities
eSmartlock - an antipiracy dongle with integrated DRM functionalities
 
Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...
Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...
Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...
 
Automated malware analysis
Automated malware analysisAutomated malware analysis
Automated malware analysis
 
Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'
 
[CB16] BLE authentication design challenges on smartphone controlled IoT devi...
[CB16] BLE authentication design challenges on smartphone controlled IoT devi...[CB16] BLE authentication design challenges on smartphone controlled IoT devi...
[CB16] BLE authentication design challenges on smartphone controlled IoT devi...
 
EthereumBlockchainMarch3 (1).pptx
EthereumBlockchainMarch3 (1).pptxEthereumBlockchainMarch3 (1).pptx
EthereumBlockchainMarch3 (1).pptx
 
Exploring Your Apple M1 devices with Open Source Tools
Exploring Your Apple M1 devices with Open Source ToolsExploring Your Apple M1 devices with Open Source Tools
Exploring Your Apple M1 devices with Open Source Tools
 
Security's Once and Future King
Security's Once and Future KingSecurity's Once and Future King
Security's Once and Future King
 
Positive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-raysPositive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-rays
 
Interoperability and APIs in OpenStack
Interoperability and APIs in OpenStackInteroperability and APIs in OpenStack
Interoperability and APIs in OpenStack
 
[HES2013] Hacking apple accessories to pown iDevices – Wake up Neo! Your phon...
[HES2013] Hacking apple accessories to pown iDevices – Wake up Neo! Your phon...[HES2013] Hacking apple accessories to pown iDevices – Wake up Neo! Your phon...
[HES2013] Hacking apple accessories to pown iDevices – Wake up Neo! Your phon...
 
CONFidence 2017: Hacking Card Emulation - how to clone any Android HCE contac...
CONFidence 2017: Hacking Card Emulation - how to clone any Android HCE contac...CONFidence 2017: Hacking Card Emulation - how to clone any Android HCE contac...
CONFidence 2017: Hacking Card Emulation - how to clone any Android HCE contac...
 
Webinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical AppsWebinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical Apps
 
mDevCamp 2016 - Zingly, or how to design multi-banking app
mDevCamp 2016 - Zingly, or how to design multi-banking appmDevCamp 2016 - Zingly, or how to design multi-banking app
mDevCamp 2016 - Zingly, or how to design multi-banking app
 
DEF CON 27 - workshop - RICHARD GOLD - mind the gap
DEF CON 27 - workshop - RICHARD GOLD - mind the gapDEF CON 27 - workshop - RICHARD GOLD - mind the gap
DEF CON 27 - workshop - RICHARD GOLD - mind the gap
 

Recently uploaded

Antenna efficency lecture course chapter 3.pdf
Antenna efficency lecture course chapter 3.pdfAntenna efficency lecture course chapter 3.pdf
Antenna efficency lecture course chapter 3.pdf
AbrahamGadissa
 
ENERGY STORAGE DEVICES INTRODUCTION UNIT-I
ENERGY STORAGE DEVICES INTRODUCTION UNIT-IENERGY STORAGE DEVICES INTRODUCTION UNIT-I
ENERGY STORAGE DEVICES INTRODUCTION UNIT-I
VigneshvaranMech
 
Student information management system project report ii.pdf
Student information management system project report ii.pdfStudent information management system project report ii.pdf
Student information management system project report ii.pdf
Kamal Acharya
 
CFD Simulation of By-pass Flow in a HRSG module by R&R Consult.pptx
CFD Simulation of By-pass Flow in a HRSG module by R&R Consult.pptxCFD Simulation of By-pass Flow in a HRSG module by R&R Consult.pptx
CFD Simulation of By-pass Flow in a HRSG module by R&R Consult.pptx
R&R Consult
 
Natalia Rutkowska - BIM School Course in Kraków
Natalia Rutkowska - BIM School Course in KrakówNatalia Rutkowska - BIM School Course in Kraków
Natalia Rutkowska - BIM School Course in Kraków
bim.edu.pl
 
Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)
Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)
Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)
MdTanvirMahtab2
 
Explosives Industry manufacturing process.pdf
Explosives Industry manufacturing process.pdfExplosives Industry manufacturing process.pdf
Explosives Industry manufacturing process.pdf
884710SadaqatAli
 
fundamentals of drawing and isometric and orthographic projection
fundamentals of drawing and isometric and orthographic projectionfundamentals of drawing and isometric and orthographic projection
fundamentals of drawing and isometric and orthographic projection
jeevanprasad8
 
Standard Reomte Control Interface - Neometrix
Standard Reomte Control Interface - NeometrixStandard Reomte Control Interface - Neometrix
Standard Reomte Control Interface - Neometrix
Neometrix_Engineering_Pvt_Ltd
 
WATER CRISIS and its solutions-pptx 1234
WATER CRISIS and its solutions-pptx 1234WATER CRISIS and its solutions-pptx 1234
WATER CRISIS and its solutions-pptx 1234
AafreenAbuthahir2
 
Online resume builder management system project report.pdf
Online resume builder management system project report.pdfOnline resume builder management system project report.pdf
Online resume builder management system project report.pdf
Kamal Acharya
 
Immunizing Image Classifiers Against Localized Adversary Attacks
Immunizing Image Classifiers Against Localized Adversary AttacksImmunizing Image Classifiers Against Localized Adversary Attacks
Immunizing Image Classifiers Against Localized Adversary Attacks
gerogepatton
 
power quality voltage fluctuation UNIT - I.pptx
power quality voltage fluctuation UNIT - I.pptxpower quality voltage fluctuation UNIT - I.pptx
power quality voltage fluctuation UNIT - I.pptx
ViniHema
 
Toll tax management system project report..pdf
Toll tax management system project report..pdfToll tax management system project report..pdf
Toll tax management system project report..pdf
Kamal Acharya
 
Final project report on grocery store management system..pdf
Final project report on grocery store management system..pdfFinal project report on grocery store management system..pdf
Final project report on grocery store management system..pdf
Kamal Acharya
 
Online blood donation management system project.pdf
Online blood donation management system project.pdfOnline blood donation management system project.pdf
Online blood donation management system project.pdf
Kamal Acharya
 
weather web application report.pdf
weather web application report.pdfweather web application report.pdf
weather web application report.pdf
Pratik Pawar
 
Vaccine management system project report documentation..pdf
Vaccine management system project report documentation..pdfVaccine management system project report documentation..pdf
Vaccine management system project report documentation..pdf
Kamal Acharya
 
The Benefits and Techniques of Trenchless Pipe Repair.pdf
The Benefits and Techniques of Trenchless Pipe Repair.pdfThe Benefits and Techniques of Trenchless Pipe Repair.pdf
The Benefits and Techniques of Trenchless Pipe Repair.pdf
Pipe Restoration Solutions
 
Halogenation process of chemical process industries
Halogenation process of chemical process industriesHalogenation process of chemical process industries
Halogenation process of chemical process industries
MuhammadTufail242431
 

Recently uploaded (20)

Antenna efficency lecture course chapter 3.pdf
Antenna efficency lecture course chapter 3.pdfAntenna efficency lecture course chapter 3.pdf
Antenna efficency lecture course chapter 3.pdf
 
ENERGY STORAGE DEVICES INTRODUCTION UNIT-I
ENERGY STORAGE DEVICES INTRODUCTION UNIT-IENERGY STORAGE DEVICES INTRODUCTION UNIT-I
ENERGY STORAGE DEVICES INTRODUCTION UNIT-I
 
Student information management system project report ii.pdf
Student information management system project report ii.pdfStudent information management system project report ii.pdf
Student information management system project report ii.pdf
 
CFD Simulation of By-pass Flow in a HRSG module by R&R Consult.pptx
CFD Simulation of By-pass Flow in a HRSG module by R&R Consult.pptxCFD Simulation of By-pass Flow in a HRSG module by R&R Consult.pptx
CFD Simulation of By-pass Flow in a HRSG module by R&R Consult.pptx
 
Natalia Rutkowska - BIM School Course in Kraków
Natalia Rutkowska - BIM School Course in KrakówNatalia Rutkowska - BIM School Course in Kraków
Natalia Rutkowska - BIM School Course in Kraków
 
Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)
Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)
Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)
 
Explosives Industry manufacturing process.pdf
Explosives Industry manufacturing process.pdfExplosives Industry manufacturing process.pdf
Explosives Industry manufacturing process.pdf
 
fundamentals of drawing and isometric and orthographic projection
fundamentals of drawing and isometric and orthographic projectionfundamentals of drawing and isometric and orthographic projection
fundamentals of drawing and isometric and orthographic projection
 
Standard Reomte Control Interface - Neometrix
Standard Reomte Control Interface - NeometrixStandard Reomte Control Interface - Neometrix
Standard Reomte Control Interface - Neometrix
 
WATER CRISIS and its solutions-pptx 1234
WATER CRISIS and its solutions-pptx 1234WATER CRISIS and its solutions-pptx 1234
WATER CRISIS and its solutions-pptx 1234
 
Online resume builder management system project report.pdf
Online resume builder management system project report.pdfOnline resume builder management system project report.pdf
Online resume builder management system project report.pdf
 
Immunizing Image Classifiers Against Localized Adversary Attacks
Immunizing Image Classifiers Against Localized Adversary AttacksImmunizing Image Classifiers Against Localized Adversary Attacks
Immunizing Image Classifiers Against Localized Adversary Attacks
 
power quality voltage fluctuation UNIT - I.pptx
power quality voltage fluctuation UNIT - I.pptxpower quality voltage fluctuation UNIT - I.pptx
power quality voltage fluctuation UNIT - I.pptx
 
Toll tax management system project report..pdf
Toll tax management system project report..pdfToll tax management system project report..pdf
Toll tax management system project report..pdf
 
Final project report on grocery store management system..pdf
Final project report on grocery store management system..pdfFinal project report on grocery store management system..pdf
Final project report on grocery store management system..pdf
 
Online blood donation management system project.pdf
Online blood donation management system project.pdfOnline blood donation management system project.pdf
Online blood donation management system project.pdf
 
weather web application report.pdf
weather web application report.pdfweather web application report.pdf
weather web application report.pdf
 
Vaccine management system project report documentation..pdf
Vaccine management system project report documentation..pdfVaccine management system project report documentation..pdf
Vaccine management system project report documentation..pdf
 
The Benefits and Techniques of Trenchless Pipe Repair.pdf
The Benefits and Techniques of Trenchless Pipe Repair.pdfThe Benefits and Techniques of Trenchless Pipe Repair.pdf
The Benefits and Techniques of Trenchless Pipe Repair.pdf
 
Halogenation process of chemical process industries
Halogenation process of chemical process industriesHalogenation process of chemical process industries
Halogenation process of chemical process industries
 

Demystifying Apple 'Pie' & TouchID

  • 2. Disclaimer • Apple Pay research is work in progress. • Yes, a jailbroken device is required. • No 0-day vulnerabilities in this talk. • This talk is about Apple Pay internals and TouchID implementation. Download the slides from: twitter.com/0xroot
  • 3. Agenda •Part I: Introduction to Apple Pay. •Part II: Demystifying Apple Pay. •Part III: Messing with runtime. •Part IV: TouchID implementation caveats.
  • 4. whoami Sebas Guerrero (@0xroot) Sr. Mobile Security Analyst at NowSecure https://github.com/0xroot sguerrero@nowsecure.com
  • 6. WhatisApplePay? “Mobile payments service and digital wallet app that uses NFC to initiate secure payment transactions between contactless payment terminals and Apple iOS devices.”
  • 7. HowcanIuseit? • Pay in-store Purchase by just tapping the phone against a contactless POS and placing the finger on the TouchID • Pay in mobile apps Pay for items within mobile apps that support ApplePay
  • 8. SE&HCE • Secure Element (SE) - Tamper-resistant platform capable of securely hosting applications and their confidential and cryptographic data in accordance with the rules and security requirements. It can be considered a chip that offers a dynamic environment to store data securely. • Host Card Emulation (HCE) - Assumes that any data stored on a handset is vulnerable and therefore restricts the storage of sensitive data to host or ‘cloud’ databases, managed to a high security standard. Preventing unauthorized access depends on four pillars: limited use key, tokens, device fingerprinting and transaction risk analysis.
  • 11. WhatisstoredintheSE? “Every time a consumer adds a credit card to the Passbook application, the real payment credentials like the PAN, Expiration Date, CVV, etc. are not stored into the SE. Apple Pay instead stores a token and some associated data inside the SE.”
  • 12. Whatisthetokenused? “We can consider a token like a fake credit card number. Which is de-tokenized before being transmitted on to the Issuer for authorization. The Acquirer is the responsible for tokenization and de- tokenization. But, Apple Pay uses the standard created by EMVCo, being the payment network the one that performs de-tokenization.”
  • 13. Howarethetokensprovided? Customer Apple Pay Apple Pay Servers Issuer Bank Token Service Provider Secure Element Credit card PAN / Exp. Date / CVV PAN / Exp. Date / CVV Token / Token-key PAN / Exp. Date / CVV Token / Token-key / cvv-key Token / Token-key / cvv-key - token-key will be used to generate a dynamic cryptogram - cvv-key will be used to generate a dynamic security code
  • 14. Paymenttokenformat PKPaymentToken Object Transaction ID Payment Network PaymentToken Data Signature Header Encrypted Payment Data Amount Cardholder name …. Payment Processing Data Top-Level Structure Key Value Description data Payment data dictionary, Base64 encoded as string Encrypted Payment Data header Header dictionary Additional information used to decrypt and verify the payment. signature Detached PKCS #7 signature, Base64 encoded as string Signature of the payment and header data. version String Version information about the payment token.
  • 15. Paymenttokenformat Payment Data Keys Key Value Description applicationPrimaryAccount Number string Device-specific account number of the card that funds this transaction. applicationExpirationDate date (string) Card expiration date in the format YYMMDD. currencyCode string ISO 4217 numeric currency code. transactionAmount number Transaction amount. Key Value Description cardholderName string Cardholder name. deviceManufacturerIdentifi er string Hex-encoded device manufacturer identifier. paymentDataType string Either ‘3DSecure’ or ‘EMV’. paymentData payment data dictionary Detailed payment data
  • 16. Interceptingpaymentoperations “According to EMV standard, during a payment operation, sensitive information like card-holder name, credit card number, expiration date and cvv are transmitted.” proxmark3> hf 14a list Recorded Activity Start | End | Src | Data —---------|-----------|-----|-------- 0 | 992 | Rdr | 52 298272 | 299264 | Rdr | 52 596560 | 597552 | Rdr | 52 894832 | 895824 | Rdr | 52 1193120 | 1194112 | Rdr | 52 1491392 | 1492384 | Rdr | 52 1789680 | 1790672 | Rdr | 52 2087952 | 2088944 | Rdr | 52 2386240 | 2387232 | Rdr | 52 2684496 | 2685488 | Rdr | 52 2982800 | 2983792 | Rdr | 52 3281088 | 3282080 | Rdr | 52 3579360 | 3580352 | Rdr | 52 …
  • 17. Tokende-tokenization { "data":“2DzU9u6byIY4qCs3lW4KgK3JWC6Ac+x…..……WkFco=“, "header": { "ephemeralPublicKey":“MFkwEwYHKoZIzj0…………bA==“, "publicKeyHash": "spzGX6upCJhx5UD8vCo1+LcIi7+fkxEUaVmhbX18cJM=", "transactionId": "79ccd07eb432f80067d8e5bbc4c38ee1def7fcc1827f6ba5b63bf47b283ebf89" }, "signature":“MIAGCSqGSIb3DQEHAqtNGjj9I………….AAAAAAAA=“, "version": "EC_v1" } { "applicationExpirationDate": "190131", "applicationPrimaryAccountNumber": "370295XXXXX5435", "currencyCode": "840", "deviceManufacturerIdentifier": "XXXXXXXXXX", "paymentData": { "emvData":“nycBgJ82AgDCnyYIG2vuQydGkMafEA…….Lnvab4=“ }, "paymentDataType": "EMV", "transactionAmount": 100 } Github: applepay_crypto_demo
  • 18. Whathappensinapayment? “Each transaction is authorized with a one-time unique number using your Device Account Number and instead of using the security code from the back of your card, Apple Pay creates a dynamic security code to securely validate each transaction.” - From the press release The Device Account Number represents the Token, the One-time Unique Number represents the dynamic cryptogram and the Dynamic Security Code represents the dynamic CVV
  • 19. SecureEnclave • Part of the A7 and A8 chips used for Touch ID. According to Apple, within the Secure Enclave, the fingerprint data is stored in an encrypted form which can only be decrypted by a key available by the SecureEnclave thus making fingerprint data walled off from the rest of A7/A8 chip. • It’s a flashable 4MB processor named the Secure Enclave Processor (SEP). • It contains its own OS called SEP OS and there is an utility called SEPUtil that can be used to communicate with it. • It’s contained in the ramdisk of H7SURamDisk.dmg which is located in /usr/standalone/ update/ramdisk and there in /usr/libexec. • Is necessary to strip off the first 0x1b (27) bytes to make the DMG readable. RootǝdCON
  • 20. SecureEnclave • We believe that all the information being stored in the SecureEnclave is erased once the device is turned off. • Inside biometrickitd we find at memory address ‘000000010001DD3C’ a ‘bl sub_10001376c’ instruction. Such method is the one used to upload all the information to the SecureEnclave. • Probably a good starter point to figure out how things work in the SecureEnclave. RootǝdCON
  • 22. TouchID “Fingerprint recognition feature, designed by Apple and available on the iPhone 5S, 6 and 6+. Which has as purpose to allow users to unlock their device, as well as make purchases in the various Apple stores and to authenticate Apple Pay online or in apps.”
  • 23. TouchIDProcess Sense for scannable object Scan object Construct input map based on scan results Construct lower resolution input pattern Provide input pattern and template pattern Run match comparisons of input pattern and template pattern Provide identity of possible match results Run match comparison of input map with possible match identities Provide result
  • 24. Whathappensunderthehood • First Obstacle What is happening at filesystem level when the user interacts with the TouchID component and a new fingerprint is added/removed into/from the system? • Workaround FileMon utility, made by J. Levin, into steroids thanks to Pancake. Lets the user to peek behind the scenes what iOS Daemons are doing. • Goal We obtain the binaries involved and their operations performed when the Apple Pay technology or TouchID component are used.
  • 25. Identifyingbinaries • SpringBoard framework binary generates sort of interesting images. • biometrickitd daemon creates and modifies the content of a file called TemplateList.cat [E] Error copying /tmp/_private_var_root_Library_Catacomb_TemplateList.cat.tmp
  • 26. Overridingunlink carapene:~ root# cycript -p PID cy# @import com.saurik.substrate.MS cy# unlink = dlsym(RTLD_DEFAULT,“unlink") cy# unlink = @encode(void *(char *, char *))(unlink) cy# var oldu = {} cy# var log = [] cy# MS.hookFunction(unlink, function(path){ cy> log.push([path]); cy> return 0; cy> }, oldu) • Second Obstacle Unlink method avoid us from copying the resource, since it removes the link named by the path parameter from its directory right after before we can copy it. • Workaround Override its implementation and return always false. • Goal Obtain a copy of the files generated.
  • 27. dyld_shared_cache • Third Obstacle Since iPhoneOS 3.1 all default (private and public) libraries have been compiled into a big cache file. All binaries or libraries from /System/Library/ Frameworks and /System/Library/PrivateFrameworks are now located in / System/Library/Caches/com.apple.dyld/dyld_shared_cache_armX • Workaround Makes use of jtool utility, extracting a specific binary from the cache, or dumping all the binaries at once. • Goal Access to all the binaries, and the ability to dump their classes/methods and RE their source code. jtool -extract UIKit path/to/dyld_shared_cache jtool -lv cache_armv7 | cut -c 24- | tail +5 | while read line ; do jtool -extract $line cache_armv7 ; done
  • 28. Putyourseat-belt • Fourth Obstacle The binary contains in its entitlement the sandbox profile ‘seat-belt’, which is a kernel extension that restricts a set of features from being used for some processes. • Workaround Use ldid utility to extract the entitlements and modify the ‘seat-belt’ field of a binary. • Goal The ability to attach cycript to the process and dump the information from the variables and modify its behavior at runtime <key>seatbelt-profiles</key> <array> <string>seld</string> </array> <key>tlebtaes-profiles</key> <array> <string>seld</string> </array> ThugLife
  • 29. TouchIDSecurity “The resulting map of nodes is stored without any identity information in an encrypted format that can only be read by the Secure Enclave, and is never sent to Apple or backed up to iCloud or iTunes.” Partially true
  • 30. EnablingTouchIDDebugLog • biometrickitd binary contains a string reference to ‘/var/mobile/Library/Logs/ CrashReporter/BioLog’. Such file is generated by the class ‘BioLog’ which is disabled by default • Save the following ‘com.apple.biometrickitd.plist’ file under the ‘/Library/Managed Preferences/ mobile/‘ path. <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>debugLogEnabled</key> <true/> </dict> </plist>
  • 33. Binaries&methods • iOS 8.0 headers available at: http://developer.limneos.net/ • Most interesting binaries: • Biometric operations - BiometricKit.framework, biometrickitd, Preferences.app • NFC Controller - nfcd, NearField.framework, libnfshared.dylib, PN548_HAL.dylib, PN548_API.dylib, PN548.dylib • Secure enclave - seld, seputil binary (https://theiphonewiki.com/wiki/ Seputil)
  • 34. BiometricKitIdentity Represents the enrolled fingerprints on the device. Properties for the user-defined name and UUID are available.
  • 35. BLTemplateList Retrieves the template associated to each identity enrolled into the device
  • 36. TemplateInfo Retrieves information associated to each Template that represents the fingerprint.
  • 37. BioLogBase Contains all the logs dumped for the TouchID component
  • 39. TemplateList.cat • Located at /private/var/root/Library/Catacomb/ TemplateList.cat • Is the template that contains all the information about the fingerprints added into the system. • Some information is readable, but most interesting one is Base64 encoded and encrypted (?)
  • 41. GottaCatch’emall! • decodeCatacombDataV1 • pullDebugImageData • pullImageMetadata • pullMatchTopologyData • setAppleMesaSEPLoggingLevel • getData / readBinary / getApplications / getCertificates • decodeRootSecurityDomainResponse / dumpAppData
  • 44. LASecurity • LocalAuthentication Trust the OS • Keychain Trust the Secure Enclave No direct access to secure enclave No access to registered fingers No access to fingerprint image
  • 45. • Shared Libraries Check with Otool if LocalAuthentication.framework is present. • canEvaluatePolicy Preflights an authentication policy to see if its possible for authentication to succeed. • evaluatePolicy Evaluates the specified policy. Block that evaluates a boolean statement. • Policy LAPolicyDeviceOwnerAuthenticationWithBiometrics No passcode authentication Fallback to application’s own password entry UI LocalAuthenticationAPI
  • 46. TouchIDAuthentication - (void)evaluatePolicy { LAContext *context = [[LAContext alloc] init]; __block NSString *msg; // show the authentication UI with our reason string [context evaluatePolicy:LAPolicyDeviceOwnerAuthenticationWithBiometrics localizedReason:NSLocalizedString(@“8=====D~", nil) reply: ^(BOOL success, NSError *authenticationError) { if (success) { msg =[NSString stringWithFormat:NSLocalizedString(@"EVALUATE_POLICY_SUCCESS", nil)]; } else { msg = [NSString stringWithFormat:NSLocalizedString(@"EVALUATE_POLICY_WITH_ERROR", nil), authenticationError.localizedDescription]; } [self printResult:self.textView message:msg]; }]; }
  • 47. TangoDown carapene:~ root# cycript -p PID cy# @import com.saurik.substrate.MS cy# var oldm = {} cy# MS.hookMessage(LAContext, @selector(evaluatePolicy:localizedReason:reply:), function(self, reason, block) { block(YES, nil); }, oldm);
  • 53. • ApplePay technology is pretty solid, and well structure, maybe not all the statements made by Apple are true, but the global security deployed is robust. • A jailbroken device is required to at least scratch the surface, and even with that, the information obtained is not highly sensitive. • TouchID integration works better with Keychain ACLs, the integration with LocalAuthentication.framework is not recommended to protect your assets. Conclusions
  • 54. ThankYou special thanks to @abelenko, @trufae (pancake), @revskills (F. Alonso) and J. Levin (@technologeeks) Sebas Guerrero @0xroot sguerrero@nowsecure.com