Security controls bypass or absence - Facial Recognition - Swift

Security controls bypass or absence - Facial Recognition - Swift

Need

Implementation of robust security controls for facial recognition

Context

  • Usage of Swift for iOS and macOS app development
  • Usage of UIKit for building modern and responsive user interfaces
  • Usage of LocalAuthentication for implementing local device authentication

Description

Non compliant code

        import UIKit
import LocalAuthentication

class ViewController: UIViewController {

    @IBOutlet weak var authButton: UIButton!
    
    func authenticateUser() {
        let context = LAContext()
        var error: NSError?
        
        if context.canEvaluatePolicy(.deviceOwnerAuthenticationWithBiometrics, error: &error) {
            let reason = "Identify yourself!"
            
            context.evaluatePolicy(.deviceOwnerAuthenticationWithBiometrics, localizedReason: reason) { success, authenticationError in
                DispatchQueue.main.async {
                    if success {
                        self.performSegue(withIdentifier: "authenticationSuccess", sender: nil)
                    } else {
                        let ac = UIAlertController(title: "Authentication failed", message: "Sorry!", preferredStyle: .alert)
                        ac.addAction(UIAlertAction(title: "OK", style: .default))
                        self.present(ac, animated: true)
                    }
                }
            }
        } else {
            let ac = UIAlertController(title: "Biometry not available", message: "Your device is not configured for biometric authentication.", preferredStyle: .alert)
            ac.addAction(UIAlertAction(title: "OK", style: .default))
            self.present(ac, animated: true)
        }
    }
    
    @IBAction func authButtonTapped(_ sender: UIButton) {
        authenticateUser()
    }
}
        
        

This Swift code is for an iOS mobile application that uses facial recognition for user authentication. The authenticateUser function is called when the 'authButton' is tapped. It uses the LocalAuthentication framework to authenticate the user with biometrics (which includes Face ID).

However, this code is vulnerable to security control bypass or absence. It does not verify the source of the token used for authentication. An attacker could use the F015 finding to obtain a token and bypass the facial recognition process, allowing them to enter application transactions, or accept or deny authorizations from a user.

The vulnerability lies in the context.evaluatePolicy method call. This method will return success even if the authentication was not made by the actual user, but by someone who has obtained a token. There are no checks in place to ensure that the token used for authentication was not obtained illicitly. This is a serious security flaw that could lead to unauthorized access to the application.

Steps

  • Implement additional security controls to complement facial recognition, such as multi-factor authentication.
  • Ensure that the facial recognition process is properly integrated with the application's transaction and authorization flows.
  • Regularly update the facial recognition library or framework used in the application to benefit from the latest security patches and improvements.
  • Perform thorough testing and validation of the facial recognition functionality to identify and fix any potential vulnerabilities or weaknesses.
  • Implement proper error handling and messaging to provide clear feedback to the user in case of authentication failures or errors.
  • Consider implementing a timeout mechanism for the facial recognition process to prevent potential abuse or unauthorized access.
  • Regularly review and assess the overall security posture of the application to identify and address any potential security gaps or vulnerabilities.

Compliant code

        import UIKit
import LocalAuthentication

class ViewController: UIViewController {

    @IBOutlet weak var authButton: UIButton!
    
    func authenticateUser() {
        let context = LAContext()
        var error: NSError?
        
        if context.canEvaluatePolicy(.deviceOwnerAuthenticationWithBiometrics, error: &error) {
            let reason = "Identify yourself!"
            
            context.evaluatePolicy(.deviceOwnerAuthenticationWithBiometrics, localizedReason: reason) { success, authenticationError in
                DispatchQueue.main.async {
                    if success {
                        // Add additional security control here
                        self.performAdditionalSecurityControl()
                    } else {
                        let ac = UIAlertController(title: "Authentication failed", message: "Sorry!", preferredStyle: .alert)
                        ac.addAction(UIAlertAction(title: "OK", style: .default))
                        self.present(ac, animated: true)
                    }
                }
            }
        } else {
            let ac = UIAlertController(title: "Biometry not available", message: "Your device is not configured for biometric authentication.", preferredStyle: .alert)
            ac.addAction(UIAlertAction(title: "OK", style: .default))
            self.present(ac, animated: true)
        }
    }
    
    func performAdditionalSecurityControl() {
        // Implement additional security control here
        // If additional security control passed
        self.performSegue(withIdentifier: "authenticationSuccess", sender: nil)
    }
    
    @IBAction func authButtonTapped(_ sender: UIButton) {
        authenticateUser()
    }
}
        
        

The updated code includes an additional security control function performAdditionalSecurityControl(). This function should contain the implementation of the additional security control, such as multi-factor authentication. This function is called only if the facial recognition authentication is successful.

This approach ensures that even if the facial recognition process is bypassed, the attacker still needs to pass the additional security control to gain access. This significantly reduces the risk of unauthorized access.

In addition, it is recommended to regularly update the facial recognition library or framework used in the application to benefit from the latest security patches and improvements.

Proper error handling and messaging should also be implemented to provide clear feedback to the user in case of authentication failures or errors.

A timeout mechanism for the facial recognition process can also be implemented to prevent potential abuse or unauthorized access.

Lastly, the overall security posture of the application should be regularly reviewed and assessed to identify and address any potential security gaps or vulnerabilities.

References