SlideShare a Scribd company logo

Demystifying Apple Pay and TouchID Implementation

Sebastián Guerrero Selma
Sebastián Guerrero Selma

This document discusses Apple Pay and Touch ID security. It summarizes that Apple Pay uses tokenization to securely store payment credentials in the Secure Enclave instead of actual credit card details. Touch ID fingerprints are also stored encrypted in the Secure Enclave and are never sent to Apple. The document also demonstrates how to use debugging and hooking techniques on a jailbroken device to analyze the internals of how Apple Pay and Touch ID work.

Engineering
1 of 54
Download to read offline
Demystifying Apple”Pie”&TouchID
Disclaimer • Apple Pay research is work in progress. • Yes, a jailbroken device is required. • No 0-day vulnerabilities in this talk. • This talk is about Apple Pay internals and TouchID implementation. Download the slides from: twitter.com/0xroot
Agenda •Part I: Introduction to Apple Pay. •Part II: Demystifying Apple Pay. •Part III: Messing with runtime. •Part IV: TouchID implementation caveats.
whoami Sebas Guerrero (@0xroot) Sr. Mobile Security Analyst at NowSecure https://github.com/0xroot sguerrero@nowsecure.com
IntroductiontoApplePay
WhatisApplePay? “Mobile payments service and digital wallet app that uses NFC to initiate secure payment transactions between contactless payment terminals and Apple iOS devices.”
HowcanIuseit? • Pay in-store Purchase by just tapping the phone against a contactless POS and placing the finger on the TouchID • Pay in mobile apps Pay for items within mobile apps that support ApplePay
SE&HCE • Secure Element (SE) - Tamper-resistant platform capable of securely hosting applications and their confidential and cryptographic data in accordance with the rules and security requirements. It can be considered a chip that offers a dynamic environment to store data securely. • Host Card Emulation (HCE) - Assumes that any data stored on a handset is vulnerable and therefore restricts the storage of sensitive data to host or ‘cloud’ databases, managed to a high security standard. Preventing unauthorized access depends on four pillars: limited use key, tokens, device fingerprinting and transaction risk analysis.
DemystifyingApplePay
WhatcomposesApplePay? SEnclave &TouchID ApplePay Servers Passbook Secure Element NFC Controller
WhatisstoredintheSE? “Every time a consumer adds a credit card to the Passbook application, the real payment credentials like the PAN, Expiration Date, CVV, etc. are not stored into the SE. Apple Pay instead stores a token and some associated data inside the SE.”
Whatisthetokenused? “We can consider a token like a fake credit card number. Which is de-tokenized before being transmitted on to the Issuer for authorization. The Acquirer is the responsible for tokenization and de- tokenization. But, Apple Pay uses the standard created by EMVCo, being the payment network the one that performs de-tokenization.”
Howarethetokensprovided? Customer Apple Pay Apple Pay Servers Issuer Bank Token Service Provider Secure Element Credit card PAN / Exp. Date / CVV PAN / Exp. Date / CVV Token / Token-key PAN / Exp. Date / CVV Token / Token-key / cvv-key Token / Token-key / cvv-key - token-key will be used to generate a dynamic cryptogram - cvv-key will be used to generate a dynamic security code
Paymenttokenformat PKPaymentToken Object Transaction ID Payment Network PaymentToken Data Signature Header Encrypted Payment Data Amount Cardholder name …. Payment Processing Data Top-Level Structure Key Value Description data Payment data dictionary, Base64 encoded as string Encrypted Payment Data header Header dictionary Additional information used to decrypt and verify the payment. signature Detached PKCS #7 signature, Base64 encoded as string Signature of the payment and header data. version String Version information about the payment token.
Paymenttokenformat Payment Data Keys Key Value Description applicationPrimaryAccount Number string Device-specific account number of the card that funds this transaction. applicationExpirationDate date (string) Card expiration date in the format YYMMDD. currencyCode string ISO 4217 numeric currency code. transactionAmount number Transaction amount. Key Value Description cardholderName string Cardholder name. deviceManufacturerIdentifi er string Hex-encoded device manufacturer identifier. paymentDataType string Either ‘3DSecure’ or ‘EMV’. paymentData payment data dictionary Detailed payment data
Interceptingpaymentoperations “According to EMV standard, during a payment operation, sensitive information like card-holder name, credit card number, expiration date and cvv are transmitted.” proxmark3> hf 14a list Recorded Activity Start | End | Src | Data —---------|-----------|-----|-------- 0 | 992 | Rdr | 52 298272 | 299264 | Rdr | 52 596560 | 597552 | Rdr | 52 894832 | 895824 | Rdr | 52 1193120 | 1194112 | Rdr | 52 1491392 | 1492384 | Rdr | 52 1789680 | 1790672 | Rdr | 52 2087952 | 2088944 | Rdr | 52 2386240 | 2387232 | Rdr | 52 2684496 | 2685488 | Rdr | 52 2982800 | 2983792 | Rdr | 52 3281088 | 3282080 | Rdr | 52 3579360 | 3580352 | Rdr | 52 …
Tokende-tokenization { "data":“2DzU9u6byIY4qCs3lW4KgK3JWC6Ac+x…..……WkFco=“, "header": { "ephemeralPublicKey":“MFkwEwYHKoZIzj0…………bA==“, "publicKeyHash": "spzGX6upCJhx5UD8vCo1+LcIi7+fkxEUaVmhbX18cJM=", "transactionId": "79ccd07eb432f80067d8e5bbc4c38ee1def7fcc1827f6ba5b63bf47b283ebf89" }, "signature":“MIAGCSqGSIb3DQEHAqtNGjj9I………….AAAAAAAA=“, "version": "EC_v1" } { "applicationExpirationDate": "190131", "applicationPrimaryAccountNumber": "370295XXXXX5435", "currencyCode": "840", "deviceManufacturerIdentifier": "XXXXXXXXXX", "paymentData": { "emvData":“nycBgJ82AgDCnyYIG2vuQydGkMafEA…….Lnvab4=“ }, "paymentDataType": "EMV", "transactionAmount": 100 } Github: applepay_crypto_demo
Whathappensinapayment? “Each transaction is authorized with a one-time unique number using your Device Account Number and instead of using the security code from the back of your card, Apple Pay creates a dynamic security code to securely validate each transaction.” - From the press release The Device Account Number represents the Token, the One-time Unique Number represents the dynamic cryptogram and the Dynamic Security Code represents the dynamic CVV
SecureEnclave • Part of the A7 and A8 chips used for Touch ID. According to Apple, within the Secure Enclave, the fingerprint data is stored in an encrypted form which can only be decrypted by a key available by the SecureEnclave thus making fingerprint data walled off from the rest of A7/A8 chip. • It’s a flashable 4MB processor named the Secure Enclave Processor (SEP). • It contains its own OS called SEP OS and there is an utility called SEPUtil that can be used to communicate with it. • It’s contained in the ramdisk of H7SURamDisk.dmg which is located in /usr/standalone/ update/ramdisk and there in /usr/libexec. • Is necessary to strip off the first 0x1b (27) bytes to make the DMG readable. RootǝdCON
SecureEnclave • We believe that all the information being stored in the SecureEnclave is erased once the device is turned off. • Inside biometrickitd we find at memory address ‘000000010001DD3C’ a ‘bl sub_10001376c’ instruction. Such method is the one used to upload all the information to the SecureEnclave. • Probably a good starter point to figure out how things work in the SecureEnclave. RootǝdCON
Messingwithruntime
TouchID “Fingerprint recognition feature, designed by Apple and available on the iPhone 5S, 6 and 6+. Which has as purpose to allow users to unlock their device, as well as make purchases in the various Apple stores and to authenticate Apple Pay online or in apps.”
TouchIDProcess Sense for scannable object Scan object Construct input map based on scan results Construct lower resolution input pattern Provide input pattern and template pattern Run match comparisons of input pattern and template pattern Provide identity of possible match results Run match comparison of input map with possible match identities Provide result
Whathappensunderthehood • First Obstacle What is happening at filesystem level when the user interacts with the TouchID component and a new fingerprint is added/removed into/from the system? • Workaround FileMon utility, made by J. Levin, into steroids thanks to Pancake. Lets the user to peek behind the scenes what iOS Daemons are doing. • Goal We obtain the binaries involved and their operations performed when the Apple Pay technology or TouchID component are used.
Identifyingbinaries • SpringBoard framework binary generates sort of interesting images. • biometrickitd daemon creates and modifies the content of a file called TemplateList.cat [E] Error copying /tmp/_private_var_root_Library_Catacomb_TemplateList.cat.tmp
Overridingunlink carapene:~ root# cycript -p PID cy# @import com.saurik.substrate.MS cy# unlink = dlsym(RTLD_DEFAULT,“unlink") cy# unlink = @encode(void *(char *, char *))(unlink) cy# var oldu = {} cy# var log = [] cy# MS.hookFunction(unlink, function(path){ cy> log.push([path]); cy> return 0; cy> }, oldu) • Second Obstacle Unlink method avoid us from copying the resource, since it removes the link named by the path parameter from its directory right after before we can copy it. • Workaround Override its implementation and return always false. • Goal Obtain a copy of the files generated.
dyld_shared_cache • Third Obstacle Since iPhoneOS 3.1 all default (private and public) libraries have been compiled into a big cache file. All binaries or libraries from /System/Library/ Frameworks and /System/Library/PrivateFrameworks are now located in / System/Library/Caches/com.apple.dyld/dyld_shared_cache_armX • Workaround Makes use of jtool utility, extracting a specific binary from the cache, or dumping all the binaries at once. • Goal Access to all the binaries, and the ability to dump their classes/methods and RE their source code. jtool -extract UIKit path/to/dyld_shared_cache jtool -lv cache_armv7 | cut -c 24- | tail +5 | while read line ; do jtool -extract $line cache_armv7 ; done
Putyourseat-belt • Fourth Obstacle The binary contains in its entitlement the sandbox profile ‘seat-belt’, which is a kernel extension that restricts a set of features from being used for some processes. • Workaround Use ldid utility to extract the entitlements and modify the ‘seat-belt’ field of a binary. • Goal The ability to attach cycript to the process and dump the information from the variables and modify its behavior at runtime <key>seatbelt-profiles</key> <array> <string>seld</string> </array> <key>tlebtaes-profiles</key> <array> <string>seld</string> </array> ThugLife
TouchIDSecurity “The resulting map of nodes is stored without any identity information in an encrypted format that can only be read by the Secure Enclave, and is never sent to Apple or backed up to iCloud or iTunes.” Partially true
EnablingTouchIDDebugLog • biometrickitd binary contains a string reference to ‘/var/mobile/Library/Logs/ CrashReporter/BioLog’. Such file is generated by the class ‘BioLog’ which is disabled by default • Save the following ‘com.apple.biometrickitd.plist’ file under the ‘/Library/Managed Preferences/ mobile/‘ path. <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>debugLogEnabled</key> <true/> </dict> </plist>
EnablingTouchIDDebugLog
EnablingTouchIDDebugLog
Binaries&methods • iOS 8.0 headers available at: http://developer.limneos.net/ • Most interesting binaries: • Biometric operations - BiometricKit.framework, biometrickitd, Preferences.app • NFC Controller - nfcd, NearField.framework, libnfshared.dylib, PN548_HAL.dylib, PN548_API.dylib, PN548.dylib • Secure enclave - seld, seputil binary (https://theiphonewiki.com/wiki/ Seputil)
BiometricKitIdentity Represents the enrolled fingerprints on the device. Properties for the user-defined name and UUID are available.
BLTemplateList Retrieves the template associated to each identity enrolled into the device
TemplateInfo Retrieves information associated to each Template that represents the fingerprint.
BioLogBase Contains all the logs dumped for the TouchID component
BiometricKitXPCServer
TemplateList.cat • Located at /private/var/root/Library/Catacomb/ TemplateList.cat • Is the template that contains all the information about the fingerprints added into the system. • Some information is readable, but most interesting one is Base64 encoded and encrypted (?)
TemplateList.cat
GottaCatch’emall! • decodeCatacombDataV1 • pullDebugImageData • pullImageMetadata • pullMatchTopologyData • setAppleMesaSEPLoggingLevel • getData / readBinary / getApplications / getCertificates • decodeRootSecurityDomainResponse / dumpAppData
TouchIDimplementationcaveats
LocalAuthentication Application LocalAuthentication TouchID Cred. Management User Space Operating System Secure Enclave
LASecurity • LocalAuthentication Trust the OS • Keychain Trust the Secure Enclave No direct access to secure enclave No access to registered fingers No access to fingerprint image
• Shared Libraries Check with Otool if LocalAuthentication.framework is present. • canEvaluatePolicy Preflights an authentication policy to see if its possible for authentication to succeed. • evaluatePolicy Evaluates the specified policy. Block that evaluates a boolean statement. • Policy LAPolicyDeviceOwnerAuthenticationWithBiometrics No passcode authentication Fallback to application’s own password entry UI LocalAuthenticationAPI
TouchIDAuthentication - (void)evaluatePolicy { LAContext *context = [[LAContext alloc] init]; __block NSString *msg; // show the authentication UI with our reason string [context evaluatePolicy:LAPolicyDeviceOwnerAuthenticationWithBiometrics localizedReason:NSLocalizedString(@“8=====D~", nil) reply: ^(BOOL success, NSError *authenticationError) { if (success) { msg =[NSString stringWithFormat:NSLocalizedString(@"EVALUATE_POLICY_SUCCESS", nil)]; } else { msg = [NSString stringWithFormat:NSLocalizedString(@"EVALUATE_POLICY_WITH_ERROR", nil), authenticationError.localizedDescription]; } [self printResult:self.textView message:msg]; }]; }
TangoDown carapene:~ root# cycript -p PID cy# @import com.saurik.substrate.MS cy# var oldm = {} cy# MS.hookMessage(LAContext, @selector(evaluatePolicy:localizedReason:reply:), function(self, reason, block) { block(YES, nil); }, oldm);
Demo#1
What’soutthere?
Tamperingthebinary NOP ALL THE THINGS
Demo#2
ItsMagic
• ApplePay technology is pretty solid, and well structure, maybe not all the statements made by Apple are true, but the global security deployed is robust. • A jailbroken device is required to at least scratch the surface, and even with that, the information obtained is not highly sensitive. • TouchID integration works better with Keychain ACLs, the integration with LocalAuthentication.framework is not recommended to protect your assets. Conclusions
ThankYou special thanks to @abelenko, @trufae (pancake), @revskills (F. Alonso) and J. Levin (@technologeeks) Sebas Guerrero @0xroot sguerrero@nowsecure.com

Recommended

Wild animals
Wild animalsWild animals
Wild animalsturova1858
 
Fidelio property management system
Fidelio property management systemFidelio property management system
Fidelio property management systemNaveen Kumar
 
Usability vs. Security: Find the Right Balance in Mobile Apps
Usability vs. Security: Find the Right Balance in Mobile AppsUsability vs. Security: Find the Right Balance in Mobile Apps
Usability vs. Security: Find the Right Balance in Mobile AppsJosiah Renaudin
 
NFC attacks
NFC attacksNFC attacks
NFC attacksPeter Swedin
 
Apple Pay
Apple PayApple Pay
Apple PayNguyet Bui
 
Вадим Дробинин. Защищаем себя и пользователей: руководство по безопасности
Вадим Дробинин. Защищаем себя и пользователей: руководство по безопасностиВадим Дробинин. Защищаем себя и пользователей: руководство по безопасности
Вадим Дробинин. Защищаем себя и пользователей: руководство по безопасностиAvitoTech
 
Jamie Bowser - A Touch(ID) of iOS Security
Jamie Bowser - A Touch(ID) of iOS SecurityJamie Bowser - A Touch(ID) of iOS Security
Jamie Bowser - A Touch(ID) of iOS Securitycentralohioissa
 
Apple pay
Apple payApple pay
Apple payHelal Al-Helal
 

Recommended

Wild animals
Wild animalsWild animals
Wild animalsturova1858
 
Fidelio property management system
Fidelio property management systemFidelio property management system
Fidelio property management systemNaveen Kumar
 
Usability vs. Security: Find the Right Balance in Mobile Apps
Usability vs. Security: Find the Right Balance in Mobile AppsUsability vs. Security: Find the Right Balance in Mobile Apps
Usability vs. Security: Find the Right Balance in Mobile AppsJosiah Renaudin
 
NFC attacks
NFC attacksNFC attacks
NFC attacksPeter Swedin
 
Apple Pay
Apple PayApple Pay
Apple PayNguyet Bui
 
Вадим Дробинин. Защищаем себя и пользователей: руководство по безопасности
Вадим Дробинин. Защищаем себя и пользователей: руководство по безопасностиВадим Дробинин. Защищаем себя и пользователей: руководство по безопасности
Вадим Дробинин. Защищаем себя и пользователей: руководство по безопасностиAvitoTech
 
Jamie Bowser - A Touch(ID) of iOS Security
Jamie Bowser - A Touch(ID) of iOS SecurityJamie Bowser - A Touch(ID) of iOS Security
Jamie Bowser - A Touch(ID) of iOS Securitycentralohioissa
 
Apple pay
Apple payApple pay
Apple payHelal Al-Helal
 
Apple Pay
Apple PayApple Pay
Apple PayChitpong Wuttanan
 
Кортунов Никита. Как ускорить разработку приложений или есть ли жизнь после P...
Кортунов Никита. Как ускорить разработку приложений или есть ли жизнь после P...Кортунов Никита. Как ускорить разработку приложений или есть ли жизнь после P...
Кортунов Никита. Как ускорить разработку приложений или есть ли жизнь после P...AvitoTech
 
Андрей Юткин. Media Picker — to infinity and beyond
Андрей Юткин. Media Picker — to infinity and beyondАндрей Юткин. Media Picker — to infinity and beyond
Андрей Юткин. Media Picker — to infinity and beyondAvitoTech
 
iOS secure app development
iOS secure app developmentiOS secure app development
iOS secure app developmentDusan Klinec
 
[Case study] Apple Pay, the first French users go to the till
[Case study] Apple Pay, the first French users go to the till [Case study] Apple Pay, the first French users go to the till
[Case study] Apple Pay, the first French users go to the till Dynvibe
 
2014.10 apple pay webinar (2)
2014.10 apple pay webinar (2)2014.10 apple pay webinar (2)
2014.10 apple pay webinar (2)Masabi
 
Apple Pay & its potential impact on the Australasian market
Apple Pay & its potential impact on the Australasian marketApple Pay & its potential impact on the Australasian market
Apple Pay & its potential impact on the Australasian marketWilliam Belle
 
Mobile Security Qualcom mr. patrick tsie - qualcomm
Mobile Security Qualcom mr. patrick tsie - qualcommMobile Security Qualcom mr. patrick tsie - qualcomm
Mobile Security Qualcom mr. patrick tsie - qualcommTien Hoang
 
A quick ONE PAGE Business Plan Template
A quick ONE PAGE Business Plan TemplateA quick ONE PAGE Business Plan Template
A quick ONE PAGE Business Plan TemplateKameel Vohra
 
Apple Pay's Uncopyable Business Model
Apple Pay's Uncopyable Business ModelApple Pay's Uncopyable Business Model
Apple Pay's Uncopyable Business ModelStrategyzer
 
iOS Hacking: Advanced Pentest & Forensic Techniques
iOS Hacking: Advanced Pentest & Forensic TechniquesiOS Hacking: Advanced Pentest & Forensic Techniques
iOS Hacking: Advanced Pentest & Forensic TechniquesÖmer Coşkun
 
Mobile payment
Mobile paymentMobile payment
Mobile paymentSoftware Park Thailand
 
From Idea to Business with Lean Startup & the Progress Board
From Idea to Business with Lean Startup & the Progress Board From Idea to Business with Lean Startup & the Progress Board
From Idea to Business with Lean Startup & the Progress Board Strategyzer
 
Apple Pay's Obvious Value Proposition
Apple Pay's Obvious Value PropositionApple Pay's Obvious Value Proposition
Apple Pay's Obvious Value PropositionStrategyzer
 
Marketing Mix of Apple iPhone
Marketing Mix of Apple iPhoneMarketing Mix of Apple iPhone
Marketing Mix of Apple iPhonePratik Shah
 
Strategic Management Presentation - Apple Inc.
Strategic Management Presentation - Apple Inc.Strategic Management Presentation - Apple Inc.
Strategic Management Presentation - Apple Inc.Colby Nelson
 
AirBnB Pitch Deck
AirBnB Pitch Deck AirBnB Pitch Deck
AirBnB Pitch Deck Malcolm Lewis
 
Creating an In-Aisle Purchasing System from Scratch
Creating an In-Aisle Purchasing System from ScratchCreating an In-Aisle Purchasing System from Scratch
Creating an In-Aisle Purchasing System from ScratchJonathan LeBlanc
 
Zeronights 2016 - Automating iOS blackbox security scanning
Zeronights 2016 - Automating iOS blackbox security scanningZeronights 2016 - Automating iOS blackbox security scanning
Zeronights 2016 - Automating iOS blackbox security scanningSynack
 
ZeroNights: Automating iOS blackbox security scanning
ZeroNights: Automating iOS blackbox security scanningZeroNights: Automating iOS blackbox security scanning
ZeroNights: Automating iOS blackbox security scanningMikhail Sosonkin
 
DEFCON-21-Koscher-Butler-The-Secret-Life-of-SIM-Cards-Updated.pdf
DEFCON-21-Koscher-Butler-The-Secret-Life-of-SIM-Cards-Updated.pdfDEFCON-21-Koscher-Butler-The-Secret-Life-of-SIM-Cards-Updated.pdf
DEFCON-21-Koscher-Butler-The-Secret-Life-of-SIM-Cards-Updated.pdfWlamir Molinari
 
Mobile Security Assessment: 101
Mobile Security Assessment: 101Mobile Security Assessment: 101
Mobile Security Assessment: 101wireharbor
 

More Related Content

Viewers also liked

Кортунов Никита. Как ускорить разработку приложений или есть ли жизнь после P...
Кортунов Никита. Как ускорить разработку приложений или есть ли жизнь после P...Кортунов Никита. Как ускорить разработку приложений или есть ли жизнь после P...
Кортунов Никита. Как ускорить разработку приложений или есть ли жизнь после P...AvitoTech
 
Андрей Юткин. Media Picker — to infinity and beyond
Андрей Юткин. Media Picker — to infinity and beyondАндрей Юткин. Media Picker — to infinity and beyond
Андрей Юткин. Media Picker — to infinity and beyondAvitoTech
 
iOS secure app development
iOS secure app developmentiOS secure app development
iOS secure app developmentDusan Klinec
 
[Case study] Apple Pay, the first French users go to the till
[Case study] Apple Pay, the first French users go to the till [Case study] Apple Pay, the first French users go to the till
[Case study] Apple Pay, the first French users go to the till Dynvibe
 
2014.10 apple pay webinar (2)
2014.10 apple pay webinar (2)2014.10 apple pay webinar (2)
2014.10 apple pay webinar (2)Masabi
 
Apple Pay & its potential impact on the Australasian market
Apple Pay & its potential impact on the Australasian marketApple Pay & its potential impact on the Australasian market
Apple Pay & its potential impact on the Australasian marketWilliam Belle
 
Mobile Security Qualcom mr. patrick tsie - qualcomm
Mobile Security Qualcom mr. patrick tsie - qualcommMobile Security Qualcom mr. patrick tsie - qualcomm
Mobile Security Qualcom mr. patrick tsie - qualcommTien Hoang
 
A quick ONE PAGE Business Plan Template
A quick ONE PAGE Business Plan TemplateA quick ONE PAGE Business Plan Template
A quick ONE PAGE Business Plan TemplateKameel Vohra
 
Apple Pay's Uncopyable Business Model
Apple Pay's Uncopyable Business ModelApple Pay's Uncopyable Business Model
Apple Pay's Uncopyable Business ModelStrategyzer
 
iOS Hacking: Advanced Pentest & Forensic Techniques
iOS Hacking: Advanced Pentest & Forensic TechniquesiOS Hacking: Advanced Pentest & Forensic Techniques
iOS Hacking: Advanced Pentest & Forensic TechniquesÖmer Coşkun
 
From Idea to Business with Lean Startup & the Progress Board
From Idea to Business with Lean Startup & the Progress Board From Idea to Business with Lean Startup & the Progress Board
From Idea to Business with Lean Startup & the Progress Board Strategyzer
 
Apple Pay's Obvious Value Proposition
Apple Pay's Obvious Value PropositionApple Pay's Obvious Value Proposition
Apple Pay's Obvious Value PropositionStrategyzer
 
Marketing Mix of Apple iPhone
Marketing Mix of Apple iPhoneMarketing Mix of Apple iPhone
Marketing Mix of Apple iPhonePratik Shah
 
Strategic Management Presentation - Apple Inc.
Strategic Management Presentation - Apple Inc.Strategic Management Presentation - Apple Inc.
Strategic Management Presentation - Apple Inc.Colby Nelson
 

Viewers also liked (17)

Apple Pay
Apple PayApple Pay
Apple Pay
 
Кортунов Никита. Как ускорить разработку приложений или есть ли жизнь после P...
Кортунов Никита. Как ускорить разработку приложений или есть ли жизнь после P...Кортунов Никита. Как ускорить разработку приложений или есть ли жизнь после P...
Кортунов Никита. Как ускорить разработку приложений или есть ли жизнь после P...
 
Андрей Юткин. Media Picker — to infinity and beyond
Андрей Юткин. Media Picker — to infinity and beyondАндрей Юткин. Media Picker — to infinity and beyond
Андрей Юткин. Media Picker — to infinity and beyond
 
iOS secure app development
iOS secure app developmentiOS secure app development
iOS secure app development
 
[Case study] Apple Pay, the first French users go to the till
[Case study] Apple Pay, the first French users go to the till [Case study] Apple Pay, the first French users go to the till
[Case study] Apple Pay, the first French users go to the till
 
2014.10 apple pay webinar (2)
2014.10 apple pay webinar (2)2014.10 apple pay webinar (2)
2014.10 apple pay webinar (2)
 
Apple Pay & its potential impact on the Australasian market
Apple Pay & its potential impact on the Australasian marketApple Pay & its potential impact on the Australasian market
Apple Pay & its potential impact on the Australasian market
 
Mobile Security Qualcom mr. patrick tsie - qualcomm
Mobile Security Qualcom mr. patrick tsie - qualcommMobile Security Qualcom mr. patrick tsie - qualcomm
Mobile Security Qualcom mr. patrick tsie - qualcomm
 
A quick ONE PAGE Business Plan Template
A quick ONE PAGE Business Plan TemplateA quick ONE PAGE Business Plan Template
A quick ONE PAGE Business Plan Template
 
Apple Pay's Uncopyable Business Model
Apple Pay's Uncopyable Business ModelApple Pay's Uncopyable Business Model
Apple Pay's Uncopyable Business Model
 
iOS Hacking: Advanced Pentest & Forensic Techniques
iOS Hacking: Advanced Pentest & Forensic TechniquesiOS Hacking: Advanced Pentest & Forensic Techniques
iOS Hacking: Advanced Pentest & Forensic Techniques
 
Mobile payment
Mobile paymentMobile payment
Mobile payment
 
From Idea to Business with Lean Startup & the Progress Board
From Idea to Business with Lean Startup & the Progress Board From Idea to Business with Lean Startup & the Progress Board
From Idea to Business with Lean Startup & the Progress Board
 
Apple Pay's Obvious Value Proposition
Apple Pay's Obvious Value PropositionApple Pay's Obvious Value Proposition
Apple Pay's Obvious Value Proposition
 
Marketing Mix of Apple iPhone
Marketing Mix of Apple iPhoneMarketing Mix of Apple iPhone
Marketing Mix of Apple iPhone
 
Strategic Management Presentation - Apple Inc.
Strategic Management Presentation - Apple Inc.Strategic Management Presentation - Apple Inc.
Strategic Management Presentation - Apple Inc.
 
AirBnB Pitch Deck
AirBnB Pitch Deck AirBnB Pitch Deck
AirBnB Pitch Deck
 

Similar to Demystifying Apple Pay and TouchID Implementation

Creating an In-Aisle Purchasing System from Scratch
Creating an In-Aisle Purchasing System from ScratchCreating an In-Aisle Purchasing System from Scratch
Creating an In-Aisle Purchasing System from ScratchJonathan LeBlanc
 
Zeronights 2016 - Automating iOS blackbox security scanning
Zeronights 2016 - Automating iOS blackbox security scanningZeronights 2016 - Automating iOS blackbox security scanning
Zeronights 2016 - Automating iOS blackbox security scanningSynack
 
ZeroNights: Automating iOS blackbox security scanning
ZeroNights: Automating iOS blackbox security scanningZeroNights: Automating iOS blackbox security scanning
ZeroNights: Automating iOS blackbox security scanningMikhail Sosonkin
 
DEFCON-21-Koscher-Butler-The-Secret-Life-of-SIM-Cards-Updated.pdf
DEFCON-21-Koscher-Butler-The-Secret-Life-of-SIM-Cards-Updated.pdfDEFCON-21-Koscher-Butler-The-Secret-Life-of-SIM-Cards-Updated.pdf
DEFCON-21-Koscher-Butler-The-Secret-Life-of-SIM-Cards-Updated.pdfWlamir Molinari
 
Mobile Security Assessment: 101
Mobile Security Assessment: 101Mobile Security Assessment: 101
Mobile Security Assessment: 101wireharbor
 
eSmartlock - an antipiracy dongle with integrated DRM functionalities
eSmartlock - an antipiracy dongle with integrated DRM functionalitieseSmartlock - an antipiracy dongle with integrated DRM functionalities
eSmartlock - an antipiracy dongle with integrated DRM functionalitiesYiannis Hatzopoulos
 
Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...
Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...
Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...Priyanka Aash
 
Automated malware analysis
Automated malware analysisAutomated malware analysis
Automated malware analysisIbrahim Baliç
 
Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Jen Andre
 
[CB16] BLE authentication design challenges on smartphone controlled IoT devi...
[CB16] BLE authentication design challenges on smartphone controlled IoT devi...[CB16] BLE authentication design challenges on smartphone controlled IoT devi...
[CB16] BLE authentication design challenges on smartphone controlled IoT devi...CODE BLUE
 
EthereumBlockchainMarch3 (1).pptx
EthereumBlockchainMarch3 (1).pptxEthereumBlockchainMarch3 (1).pptx
EthereumBlockchainMarch3 (1).pptxWijdenBenothmen1
 
Exploring Your Apple M1 devices with Open Source Tools
Exploring Your Apple M1 devices with Open Source ToolsExploring Your Apple M1 devices with Open Source Tools
Exploring Your Apple M1 devices with Open Source ToolsKoan-Sin Tan
 
Security's Once and Future King
Security's Once and Future KingSecurity's Once and Future King
Security's Once and Future KingKapil Sachdeva
 
Positive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-raysPositive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-raysqqlan
 
Interoperability and APIs in OpenStack
Interoperability and APIs in OpenStackInteroperability and APIs in OpenStack
Interoperability and APIs in OpenStackpiyush_harsh
 
[HES2013] Hacking apple accessories to pown iDevices – Wake up Neo! Your phon...
[HES2013] Hacking apple accessories to pown iDevices – Wake up Neo! Your phon...[HES2013] Hacking apple accessories to pown iDevices – Wake up Neo! Your phon...
[HES2013] Hacking apple accessories to pown iDevices – Wake up Neo! Your phon...Hackito Ergo Sum
 
CONFidence 2017: Hacking Card Emulation - how to clone any Android HCE contac...
CONFidence 2017: Hacking Card Emulation - how to clone any Android HCE contac...CONFidence 2017: Hacking Card Emulation - how to clone any Android HCE contac...
CONFidence 2017: Hacking Card Emulation - how to clone any Android HCE contac...PROIDEA
 
Webinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical AppsWebinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical AppsSynopsys Software Integrity Group
 
mDevCamp 2016 - Zingly, or how to design multi-banking app
mDevCamp 2016 - Zingly, or how to design multi-banking appmDevCamp 2016 - Zingly, or how to design multi-banking app
mDevCamp 2016 - Zingly, or how to design multi-banking appPetr Dvorak
 
DEF CON 27 - workshop - RICHARD GOLD - mind the gap
DEF CON 27 - workshop - RICHARD GOLD - mind the gapDEF CON 27 - workshop - RICHARD GOLD - mind the gap
DEF CON 27 - workshop - RICHARD GOLD - mind the gapFelipe Prado
 

Similar to Demystifying Apple Pay and TouchID Implementation (20)

Creating an In-Aisle Purchasing System from Scratch
Creating an In-Aisle Purchasing System from ScratchCreating an In-Aisle Purchasing System from Scratch
Creating an In-Aisle Purchasing System from Scratch
 
Zeronights 2016 - Automating iOS blackbox security scanning
Zeronights 2016 - Automating iOS blackbox security scanningZeronights 2016 - Automating iOS blackbox security scanning
Zeronights 2016 - Automating iOS blackbox security scanning
 
ZeroNights: Automating iOS blackbox security scanning
ZeroNights: Automating iOS blackbox security scanningZeroNights: Automating iOS blackbox security scanning
ZeroNights: Automating iOS blackbox security scanning
 
DEFCON-21-Koscher-Butler-The-Secret-Life-of-SIM-Cards-Updated.pdf
DEFCON-21-Koscher-Butler-The-Secret-Life-of-SIM-Cards-Updated.pdfDEFCON-21-Koscher-Butler-The-Secret-Life-of-SIM-Cards-Updated.pdf
DEFCON-21-Koscher-Butler-The-Secret-Life-of-SIM-Cards-Updated.pdf
 
Mobile Security Assessment: 101
Mobile Security Assessment: 101Mobile Security Assessment: 101
Mobile Security Assessment: 101
 
eSmartlock - an antipiracy dongle with integrated DRM functionalities
eSmartlock - an antipiracy dongle with integrated DRM functionalitieseSmartlock - an antipiracy dongle with integrated DRM functionalities
eSmartlock - an antipiracy dongle with integrated DRM functionalities
 
Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...
Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...
Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...
 
Automated malware analysis
Automated malware analysisAutomated malware analysis
Automated malware analysis
 
Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'
 
[CB16] BLE authentication design challenges on smartphone controlled IoT devi...
[CB16] BLE authentication design challenges on smartphone controlled IoT devi...[CB16] BLE authentication design challenges on smartphone controlled IoT devi...
[CB16] BLE authentication design challenges on smartphone controlled IoT devi...
 
EthereumBlockchainMarch3 (1).pptx
EthereumBlockchainMarch3 (1).pptxEthereumBlockchainMarch3 (1).pptx
EthereumBlockchainMarch3 (1).pptx
 
Exploring Your Apple M1 devices with Open Source Tools
Exploring Your Apple M1 devices with Open Source ToolsExploring Your Apple M1 devices with Open Source Tools
Exploring Your Apple M1 devices with Open Source Tools
 
Security's Once and Future King
Security's Once and Future KingSecurity's Once and Future King
Security's Once and Future King
 
Positive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-raysPositive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-rays
 
Interoperability and APIs in OpenStack
Interoperability and APIs in OpenStackInteroperability and APIs in OpenStack
Interoperability and APIs in OpenStack
 
[HES2013] Hacking apple accessories to pown iDevices – Wake up Neo! Your phon...
[HES2013] Hacking apple accessories to pown iDevices – Wake up Neo! Your phon...[HES2013] Hacking apple accessories to pown iDevices – Wake up Neo! Your phon...
[HES2013] Hacking apple accessories to pown iDevices – Wake up Neo! Your phon...
 
CONFidence 2017: Hacking Card Emulation - how to clone any Android HCE contac...
CONFidence 2017: Hacking Card Emulation - how to clone any Android HCE contac...CONFidence 2017: Hacking Card Emulation - how to clone any Android HCE contac...
CONFidence 2017: Hacking Card Emulation - how to clone any Android HCE contac...
 
Webinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical AppsWebinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical Apps
 
mDevCamp 2016 - Zingly, or how to design multi-banking app
mDevCamp 2016 - Zingly, or how to design multi-banking appmDevCamp 2016 - Zingly, or how to design multi-banking app
mDevCamp 2016 - Zingly, or how to design multi-banking app
 
DEF CON 27 - workshop - RICHARD GOLD - mind the gap
DEF CON 27 - workshop - RICHARD GOLD - mind the gapDEF CON 27 - workshop - RICHARD GOLD - mind the gap
DEF CON 27 - workshop - RICHARD GOLD - mind the gap
 

Recently uploaded

Unit7-DC_Motors nkkjnsdkfnfcdfknfdgfggfg
Unit7-DC_Motors nkkjnsdkfnfcdfknfdgfggfgUnit7-DC_Motors nkkjnsdkfnfcdfknfdgfggfg
Unit7-DC_Motors nkkjnsdkfnfcdfknfdgfggfgsaravananr517913
 
Application of Residue Theorem to evaluate real integrations.pptx
Application of Residue Theorem to evaluate real integrations.pptxApplication of Residue Theorem to evaluate real integrations.pptx
Application of Residue Theorem to evaluate real integrations.pptx959SahilShah
 
Oxy acetylene welding presentation note.
Oxy acetylene welding presentation note.Oxy acetylene welding presentation note.
Oxy acetylene welding presentation note.eptoze12
 
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube Exchanger
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube ExchangerStudy on Air-Water & Water-Water Heat Exchange in a Finned Tube Exchanger
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube ExchangerAnamika Sarkar
 
Piping Basic stress analysis by engineering
Piping Basic stress analysis by engineeringPiping Basic stress analysis by engineering
Piping Basic stress analysis by engineeringJuanCarlosMorales19600
 
UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)
UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)
UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)Dr SOUNDIRARAJ N
 
Call Girls Narol 7397865700 Independent Call Girls
Call Girls Narol 7397865700 Independent Call GirlsCall Girls Narol 7397865700 Independent Call Girls
Call Girls Narol 7397865700 Independent Call Girlsssuser7cb4ff
 
8251 universal synchronous asynchronous receiver transmitter
8251 universal synchronous asynchronous receiver transmitter8251 universal synchronous asynchronous receiver transmitter
8251 universal synchronous asynchronous receiver transmitterShivangiSharma879191
 
computer application and construction management
computer application and construction managementcomputer application and construction management
computer application and construction managementMariconPadriquez1
 
INFLUENCE OF NANOSILICA ON THE PROPERTIES OF CONCRETE
INFLUENCE OF NANOSILICA ON THE PROPERTIES OF CONCRETEINFLUENCE OF NANOSILICA ON THE PROPERTIES OF CONCRETE
INFLUENCE OF NANOSILICA ON THE PROPERTIES OF CONCRETEroselinkalist12
 
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort serviceGurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort servicejennyeacort
 
Call Us ≽ 8377877756 ≼ Call Girls In Shastri Nagar (Delhi)
Call Us ≽ 8377877756 ≼ Call Girls In Shastri Nagar (Delhi)Call Us ≽ 8377877756 ≼ Call Girls In Shastri Nagar (Delhi)
Call Us ≽ 8377877756 ≼ Call Girls In Shastri Nagar (Delhi)dollysharma2066
 
Past, Present and Future of Generative AI
Past, Present and Future of Generative AIPast, Present and Future of Generative AI
Past, Present and Future of Generative AIabhishek36461
 
An experimental study in using natural admixture as an alternative for chemic...
An experimental study in using natural admixture as an alternative for chemic...An experimental study in using natural admixture as an alternative for chemic...
An experimental study in using natural admixture as an alternative for chemic...Chandu841456
 
Software and Systems Engineering Standards: Verification and Validation of Sy...
Software and Systems Engineering Standards: Verification and Validation of Sy...Software and Systems Engineering Standards: Verification and Validation of Sy...
Software and Systems Engineering Standards: Verification and Validation of Sy...VICTOR MAESTRE RAMIREZ
 
Why does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsync
Why does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsyncWhy does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsync
Why does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsyncssuser2ae721
 

Recently uploaded (20)

Unit7-DC_Motors nkkjnsdkfnfcdfknfdgfggfg
Unit7-DC_Motors nkkjnsdkfnfcdfknfdgfggfgUnit7-DC_Motors nkkjnsdkfnfcdfknfdgfggfg
Unit7-DC_Motors nkkjnsdkfnfcdfknfdgfggfg
 
Application of Residue Theorem to evaluate real integrations.pptx
Application of Residue Theorem to evaluate real integrations.pptxApplication of Residue Theorem to evaluate real integrations.pptx
Application of Residue Theorem to evaluate real integrations.pptx
 
Oxy acetylene welding presentation note.
Oxy acetylene welding presentation note.Oxy acetylene welding presentation note.
Oxy acetylene welding presentation note.
 
🔝9953056974🔝!!-YOUNG call girls in Rajendra Nagar Escort rvice Shot 2000 nigh...
🔝9953056974🔝!!-YOUNG call girls in Rajendra Nagar Escort rvice Shot 2000 nigh...🔝9953056974🔝!!-YOUNG call girls in Rajendra Nagar Escort rvice Shot 2000 nigh...
🔝9953056974🔝!!-YOUNG call girls in Rajendra Nagar Escort rvice Shot 2000 nigh...
 
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube Exchanger
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube ExchangerStudy on Air-Water & Water-Water Heat Exchange in a Finned Tube Exchanger
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube Exchanger
 
Piping Basic stress analysis by engineering
Piping Basic stress analysis by engineeringPiping Basic stress analysis by engineering
Piping Basic stress analysis by engineering
 
young call girls in Green Park🔝 9953056974 🔝 escort Service
young call girls in Green Park🔝 9953056974 🔝 escort Serviceyoung call girls in Green Park🔝 9953056974 🔝 escort Service
young call girls in Green Park🔝 9953056974 🔝 escort Service
 
UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)
UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)
UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)
 
POWER SYSTEMS-1 Complete notes examples
POWER SYSTEMS-1 Complete notes examplesPOWER SYSTEMS-1 Complete notes examples
POWER SYSTEMS-1 Complete notes examples
 
young call girls in Rajiv Chowk🔝 9953056974 🔝 Delhi escort Service
young call girls in Rajiv Chowk🔝 9953056974 🔝 Delhi escort Serviceyoung call girls in Rajiv Chowk🔝 9953056974 🔝 Delhi escort Service
young call girls in Rajiv Chowk🔝 9953056974 🔝 Delhi escort Service
 
Call Girls Narol 7397865700 Independent Call Girls
Call Girls Narol 7397865700 Independent Call GirlsCall Girls Narol 7397865700 Independent Call Girls
Call Girls Narol 7397865700 Independent Call Girls
 
8251 universal synchronous asynchronous receiver transmitter
8251 universal synchronous asynchronous receiver transmitter8251 universal synchronous asynchronous receiver transmitter
8251 universal synchronous asynchronous receiver transmitter
 
computer application and construction management
computer application and construction managementcomputer application and construction management
computer application and construction management
 
INFLUENCE OF NANOSILICA ON THE PROPERTIES OF CONCRETE
INFLUENCE OF NANOSILICA ON THE PROPERTIES OF CONCRETEINFLUENCE OF NANOSILICA ON THE PROPERTIES OF CONCRETE
INFLUENCE OF NANOSILICA ON THE PROPERTIES OF CONCRETE
 
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort serviceGurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
 
Call Us ≽ 8377877756 ≼ Call Girls In Shastri Nagar (Delhi)
Call Us ≽ 8377877756 ≼ Call Girls In Shastri Nagar (Delhi)Call Us ≽ 8377877756 ≼ Call Girls In Shastri Nagar (Delhi)
Call Us ≽ 8377877756 ≼ Call Girls In Shastri Nagar (Delhi)
 
Past, Present and Future of Generative AI
Past, Present and Future of Generative AIPast, Present and Future of Generative AI
Past, Present and Future of Generative AI
 
An experimental study in using natural admixture as an alternative for chemic...
An experimental study in using natural admixture as an alternative for chemic...An experimental study in using natural admixture as an alternative for chemic...
An experimental study in using natural admixture as an alternative for chemic...
 
Software and Systems Engineering Standards: Verification and Validation of Sy...
Software and Systems Engineering Standards: Verification and Validation of Sy...Software and Systems Engineering Standards: Verification and Validation of Sy...
Software and Systems Engineering Standards: Verification and Validation of Sy...
 
Why does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsync
Why does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsyncWhy does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsync
Why does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsync
 

Demystifying Apple Pay and TouchID Implementation

  • 2. Disclaimer • Apple Pay research is work in progress. • Yes, a jailbroken device is required. • No 0-day vulnerabilities in this talk. • This talk is about Apple Pay internals and TouchID implementation. Download the slides from: twitter.com/0xroot
  • 3. Agenda •Part I: Introduction to Apple Pay. •Part II: Demystifying Apple Pay. •Part III: Messing with runtime. •Part IV: TouchID implementation caveats.
  • 4. whoami Sebas Guerrero (@0xroot) Sr. Mobile Security Analyst at NowSecure https://github.com/0xroot sguerrero@nowsecure.com
  • 6. WhatisApplePay? “Mobile payments service and digital wallet app that uses NFC to initiate secure payment transactions between contactless payment terminals and Apple iOS devices.”
  • 7. HowcanIuseit? • Pay in-store Purchase by just tapping the phone against a contactless POS and placing the finger on the TouchID • Pay in mobile apps Pay for items within mobile apps that support ApplePay
  • 8. SE&HCE • Secure Element (SE) - Tamper-resistant platform capable of securely hosting applications and their confidential and cryptographic data in accordance with the rules and security requirements. It can be considered a chip that offers a dynamic environment to store data securely. • Host Card Emulation (HCE) - Assumes that any data stored on a handset is vulnerable and therefore restricts the storage of sensitive data to host or ‘cloud’ databases, managed to a high security standard. Preventing unauthorized access depends on four pillars: limited use key, tokens, device fingerprinting and transaction risk analysis.
  • 11. WhatisstoredintheSE? “Every time a consumer adds a credit card to the Passbook application, the real payment credentials like the PAN, Expiration Date, CVV, etc. are not stored into the SE. Apple Pay instead stores a token and some associated data inside the SE.”
  • 12. Whatisthetokenused? “We can consider a token like a fake credit card number. Which is de-tokenized before being transmitted on to the Issuer for authorization. The Acquirer is the responsible for tokenization and de- tokenization. But, Apple Pay uses the standard created by EMVCo, being the payment network the one that performs de-tokenization.”
  • 13. Howarethetokensprovided? Customer Apple Pay Apple Pay Servers Issuer Bank Token Service Provider Secure Element Credit card PAN / Exp. Date / CVV PAN / Exp. Date / CVV Token / Token-key PAN / Exp. Date / CVV Token / Token-key / cvv-key Token / Token-key / cvv-key - token-key will be used to generate a dynamic cryptogram - cvv-key will be used to generate a dynamic security code
  • 14. Paymenttokenformat PKPaymentToken Object Transaction ID Payment Network PaymentToken Data Signature Header Encrypted Payment Data Amount Cardholder name …. Payment Processing Data Top-Level Structure Key Value Description data Payment data dictionary, Base64 encoded as string Encrypted Payment Data header Header dictionary Additional information used to decrypt and verify the payment. signature Detached PKCS #7 signature, Base64 encoded as string Signature of the payment and header data. version String Version information about the payment token.
  • 15. Paymenttokenformat Payment Data Keys Key Value Description applicationPrimaryAccount Number string Device-specific account number of the card that funds this transaction. applicationExpirationDate date (string) Card expiration date in the format YYMMDD. currencyCode string ISO 4217 numeric currency code. transactionAmount number Transaction amount. Key Value Description cardholderName string Cardholder name. deviceManufacturerIdentifi er string Hex-encoded device manufacturer identifier. paymentDataType string Either ‘3DSecure’ or ‘EMV’. paymentData payment data dictionary Detailed payment data
  • 16. Interceptingpaymentoperations “According to EMV standard, during a payment operation, sensitive information like card-holder name, credit card number, expiration date and cvv are transmitted.” proxmark3> hf 14a list Recorded Activity Start | End | Src | Data —---------|-----------|-----|-------- 0 | 992 | Rdr | 52 298272 | 299264 | Rdr | 52 596560 | 597552 | Rdr | 52 894832 | 895824 | Rdr | 52 1193120 | 1194112 | Rdr | 52 1491392 | 1492384 | Rdr | 52 1789680 | 1790672 | Rdr | 52 2087952 | 2088944 | Rdr | 52 2386240 | 2387232 | Rdr | 52 2684496 | 2685488 | Rdr | 52 2982800 | 2983792 | Rdr | 52 3281088 | 3282080 | Rdr | 52 3579360 | 3580352 | Rdr | 52 …
  • 17. Tokende-tokenization { "data":“2DzU9u6byIY4qCs3lW4KgK3JWC6Ac+x…..……WkFco=“, "header": { "ephemeralPublicKey":“MFkwEwYHKoZIzj0…………bA==“, "publicKeyHash": "spzGX6upCJhx5UD8vCo1+LcIi7+fkxEUaVmhbX18cJM=", "transactionId": "79ccd07eb432f80067d8e5bbc4c38ee1def7fcc1827f6ba5b63bf47b283ebf89" }, "signature":“MIAGCSqGSIb3DQEHAqtNGjj9I………….AAAAAAAA=“, "version": "EC_v1" } { "applicationExpirationDate": "190131", "applicationPrimaryAccountNumber": "370295XXXXX5435", "currencyCode": "840", "deviceManufacturerIdentifier": "XXXXXXXXXX", "paymentData": { "emvData":“nycBgJ82AgDCnyYIG2vuQydGkMafEA…….Lnvab4=“ }, "paymentDataType": "EMV", "transactionAmount": 100 } Github: applepay_crypto_demo
  • 18. Whathappensinapayment? “Each transaction is authorized with a one-time unique number using your Device Account Number and instead of using the security code from the back of your card, Apple Pay creates a dynamic security code to securely validate each transaction.” - From the press release The Device Account Number represents the Token, the One-time Unique Number represents the dynamic cryptogram and the Dynamic Security Code represents the dynamic CVV
  • 19. SecureEnclave • Part of the A7 and A8 chips used for Touch ID. According to Apple, within the Secure Enclave, the fingerprint data is stored in an encrypted form which can only be decrypted by a key available by the SecureEnclave thus making fingerprint data walled off from the rest of A7/A8 chip. • It’s a flashable 4MB processor named the Secure Enclave Processor (SEP). • It contains its own OS called SEP OS and there is an utility called SEPUtil that can be used to communicate with it. • It’s contained in the ramdisk of H7SURamDisk.dmg which is located in /usr/standalone/ update/ramdisk and there in /usr/libexec. • Is necessary to strip off the first 0x1b (27) bytes to make the DMG readable. RootǝdCON
  • 20. SecureEnclave • We believe that all the information being stored in the SecureEnclave is erased once the device is turned off. • Inside biometrickitd we find at memory address ‘000000010001DD3C’ a ‘bl sub_10001376c’ instruction. Such method is the one used to upload all the information to the SecureEnclave. • Probably a good starter point to figure out how things work in the SecureEnclave. RootǝdCON
  • 22. TouchID “Fingerprint recognition feature, designed by Apple and available on the iPhone 5S, 6 and 6+. Which has as purpose to allow users to unlock their device, as well as make purchases in the various Apple stores and to authenticate Apple Pay online or in apps.”
  • 23. TouchIDProcess Sense for scannable object Scan object Construct input map based on scan results Construct lower resolution input pattern Provide input pattern and template pattern Run match comparisons of input pattern and template pattern Provide identity of possible match results Run match comparison of input map with possible match identities Provide result
  • 24. Whathappensunderthehood • First Obstacle What is happening at filesystem level when the user interacts with the TouchID component and a new fingerprint is added/removed into/from the system? • Workaround FileMon utility, made by J. Levin, into steroids thanks to Pancake. Lets the user to peek behind the scenes what iOS Daemons are doing. • Goal We obtain the binaries involved and their operations performed when the Apple Pay technology or TouchID component are used.
  • 25. Identifyingbinaries • SpringBoard framework binary generates sort of interesting images. • biometrickitd daemon creates and modifies the content of a file called TemplateList.cat [E] Error copying /tmp/_private_var_root_Library_Catacomb_TemplateList.cat.tmp
  • 26. Overridingunlink carapene:~ root# cycript -p PID cy# @import com.saurik.substrate.MS cy# unlink = dlsym(RTLD_DEFAULT,“unlink") cy# unlink = @encode(void *(char *, char *))(unlink) cy# var oldu = {} cy# var log = [] cy# MS.hookFunction(unlink, function(path){ cy> log.push([path]); cy> return 0; cy> }, oldu) • Second Obstacle Unlink method avoid us from copying the resource, since it removes the link named by the path parameter from its directory right after before we can copy it. • Workaround Override its implementation and return always false. • Goal Obtain a copy of the files generated.
  • 27. dyld_shared_cache • Third Obstacle Since iPhoneOS 3.1 all default (private and public) libraries have been compiled into a big cache file. All binaries or libraries from /System/Library/ Frameworks and /System/Library/PrivateFrameworks are now located in / System/Library/Caches/com.apple.dyld/dyld_shared_cache_armX • Workaround Makes use of jtool utility, extracting a specific binary from the cache, or dumping all the binaries at once. • Goal Access to all the binaries, and the ability to dump their classes/methods and RE their source code. jtool -extract UIKit path/to/dyld_shared_cache jtool -lv cache_armv7 | cut -c 24- | tail +5 | while read line ; do jtool -extract $line cache_armv7 ; done
  • 28. Putyourseat-belt • Fourth Obstacle The binary contains in its entitlement the sandbox profile ‘seat-belt’, which is a kernel extension that restricts a set of features from being used for some processes. • Workaround Use ldid utility to extract the entitlements and modify the ‘seat-belt’ field of a binary. • Goal The ability to attach cycript to the process and dump the information from the variables and modify its behavior at runtime <key>seatbelt-profiles</key> <array> <string>seld</string> </array> <key>tlebtaes-profiles</key> <array> <string>seld</string> </array> ThugLife
  • 29. TouchIDSecurity “The resulting map of nodes is stored without any identity information in an encrypted format that can only be read by the Secure Enclave, and is never sent to Apple or backed up to iCloud or iTunes.” Partially true
  • 30. EnablingTouchIDDebugLog • biometrickitd binary contains a string reference to ‘/var/mobile/Library/Logs/ CrashReporter/BioLog’. Such file is generated by the class ‘BioLog’ which is disabled by default • Save the following ‘com.apple.biometrickitd.plist’ file under the ‘/Library/Managed Preferences/ mobile/‘ path. <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>debugLogEnabled</key> <true/> </dict> </plist>
  • 33. Binaries&methods • iOS 8.0 headers available at: http://developer.limneos.net/ • Most interesting binaries: • Biometric operations - BiometricKit.framework, biometrickitd, Preferences.app • NFC Controller - nfcd, NearField.framework, libnfshared.dylib, PN548_HAL.dylib, PN548_API.dylib, PN548.dylib • Secure enclave - seld, seputil binary (https://theiphonewiki.com/wiki/ Seputil)
  • 34. BiometricKitIdentity Represents the enrolled fingerprints on the device. Properties for the user-defined name and UUID are available.
  • 35. BLTemplateList Retrieves the template associated to each identity enrolled into the device
  • 36. TemplateInfo Retrieves information associated to each Template that represents the fingerprint.
  • 37. BioLogBase Contains all the logs dumped for the TouchID component
  • 39. TemplateList.cat • Located at /private/var/root/Library/Catacomb/ TemplateList.cat • Is the template that contains all the information about the fingerprints added into the system. • Some information is readable, but most interesting one is Base64 encoded and encrypted (?)
  • 41. GottaCatch’emall! • decodeCatacombDataV1 • pullDebugImageData • pullImageMetadata • pullMatchTopologyData • setAppleMesaSEPLoggingLevel • getData / readBinary / getApplications / getCertificates • decodeRootSecurityDomainResponse / dumpAppData
  • 44. LASecurity • LocalAuthentication Trust the OS • Keychain Trust the Secure Enclave No direct access to secure enclave No access to registered fingers No access to fingerprint image
  • 45. • Shared Libraries Check with Otool if LocalAuthentication.framework is present. • canEvaluatePolicy Preflights an authentication policy to see if its possible for authentication to succeed. • evaluatePolicy Evaluates the specified policy. Block that evaluates a boolean statement. • Policy LAPolicyDeviceOwnerAuthenticationWithBiometrics No passcode authentication Fallback to application’s own password entry UI LocalAuthenticationAPI
  • 46. TouchIDAuthentication - (void)evaluatePolicy { LAContext *context = [[LAContext alloc] init]; __block NSString *msg; // show the authentication UI with our reason string [context evaluatePolicy:LAPolicyDeviceOwnerAuthenticationWithBiometrics localizedReason:NSLocalizedString(@“8=====D~", nil) reply: ^(BOOL success, NSError *authenticationError) { if (success) { msg =[NSString stringWithFormat:NSLocalizedString(@"EVALUATE_POLICY_SUCCESS", nil)]; } else { msg = [NSString stringWithFormat:NSLocalizedString(@"EVALUATE_POLICY_WITH_ERROR", nil), authenticationError.localizedDescription]; } [self printResult:self.textView message:msg]; }]; }
  • 47. TangoDown carapene:~ root# cycript -p PID cy# @import com.saurik.substrate.MS cy# var oldm = {} cy# MS.hookMessage(LAContext, @selector(evaluatePolicy:localizedReason:reply:), function(self, reason, block) { block(YES, nil); }, oldm);
  • 53. • ApplePay technology is pretty solid, and well structure, maybe not all the statements made by Apple are true, but the global security deployed is robust. • A jailbroken device is required to at least scratch the surface, and even with that, the information obtained is not highly sensitive. • TouchID integration works better with Keychain ACLs, the integration with LocalAuthentication.framework is not recommended to protect your assets. Conclusions
  • 54. ThankYou special thanks to @abelenko, @trufae (pancake), @revskills (F. Alonso) and J. Levin (@technologeeks) Sebas Guerrero @0xroot sguerrero@nowsecure.com