Hey, I read somewhere a while ago that the Secure Enclave of an iOS device would get wiped when biometrics change, ie a new fingerprint is added. I was wondering whether that’s correct and still the case?
Secure Enclave wiped on biometrics change?
It’s hard to answer this without a definition of “wiped”.
If you have a general interest in how iOS security works behind the scenes, I recommend that you read through Apple Platform Security. It’s full of super interesting details.
If you have a question about a specific API — for example, “If I create an SE-protected key with such-and-such settings, does it survive a biometrics change?” — post the details here and I’ll try to answer.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
Hey @eskimo sorry, for some reason I can't comment on your post (my reply always disappears when I refresh the page).
Yeah my question is about using a specific API with access control: SecAccessControlCreateWithFlags(kCFAllocatorDefault,kSecAttrAccessibleWhenUnlockedThisDeviceOnly,[.privateKeyUsage],nil) and attributes: [kSecAttrKeyType as String:kSecAttrKeyTypeEC,kSecAttrKeySizeInBits as String : 256,kSecAttrTokenID as String : kSecAttrTokenIDSecureEnclave,kSecPrivateKeyAttrs as String:[kSecAttrIsPermanent as String: true, kSecAttrApplicationTag as String: tag,kSecAttrAccessControl as String access].
It’s kinda hard to read your code [1] but I don’t think that actually matters because…
If you’re developing code for yourself there’s an easy way to answer this question:
-
Put your code in a small test app.
-
Use that to create an SE-protected key.
-
Change your biometrics.
-
Run your app again and see if the key still functions.
Base on my reading of your code I think it will, but you shouldn’t trust me (-:
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
[1] See Quinn’s Top Ten DevForums Tips for advice on how to post code snippets.