Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Check pin without leaving the iOS Keychain

I have a user pin stored in the iOS Keychain. For every pin attempt, I use SecItemCopyMatching to retrieve the reference pin, and then do the comparison.

The problem is that, for a short amount of time, the retrieved reference pin enters the app's working memory. If the phone is compromised, the reference pin can potentially be read off.

Is there a way to pass the pin attempt to the Keychain and have the Keychain do the comparison with the reference pin in its secure environment? (Can the Secure Element do that kind of stuff?)

like image 790
Randomblue Avatar asked Mar 04 '15 16:03

Randomblue


People also ask

Does keychain Store iPhone passcode?

iCloud Keychain keeps your passwords, passkeys, and other secure information updated across your iPhone, iPad, iPod touch, or Mac. Set up iCloud Keychain.

Can I see my Apple ID password in keychain?

Keychain Access lets you view the keys, certificates, passwords, account information, notes, or other information stored in a keychain. In the Keychain Access app on your Mac, if you don't see a list of keychains, choose Window > Keychain Viewer or press Command-1. Select the keychain that you want to view.

How do I retrieve a password from my iPhone keychain?

Settings > Passwords > Enter your Passcode > Search for the account you're looking for. If it's deleted, your best chance might be your last Backup on which is the password wasn't still deleted. Restoring from a backup erases all data currently on your device.


1 Answers

In general, you store a one-way hash of the password with a salt, not the actual password. To verify, add the salt, hash the string, compare against the stored hash, and if it matches, it's verified.

The strength then, is the strength of the algorithm, the salt, and the password.

like image 58
Marcus Adams Avatar answered Oct 01 '22 15:10

Marcus Adams