Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Detect if Secure Enclave is available on current device

Tags:

security

ios

Is there a certain way to detect if storing in Secure Enclave is available on current device?

like image 343
kragekjaer Avatar asked Jan 20 '17 09:01

kragekjaer


People also ask

Which devices support Secure Enclave?

By the end of 2020, secure enclaves will be supported by nearly every server and cloud platform, including Intel, AMD, Amazon AWS (with their new Nitro Enclaves)7, Microsoft Azure8, VMware, Google, Docker, and Red Hat.

Does my iPhone have a Secure Enclave chip?

The Secure Enclave is a hardware feature of most versions of iPhone, iPad, Mac, Apple TV, Apple Watch, and HomePod—namely: iPhone 5s or later. iPad Air or later. MacBook Pro computers with Touch Bar (2016 and 2017) that contain the Apple T1 Chip.


2 Answers

Here is another solution:

Device.h

#import <Foundation/Foundation.h>

@interface Device : NSObject

+(BOOL) hasSecureEnclave;
+(BOOL) isSimulator;
+(BOOL) hasBiometrics;

@end

Device.m

#import "Device.h"
#import <LocalAuthentication/LocalAuthentication.h>

@implementation Device

//To check that device has secure enclave or not
+(BOOL) hasSecureEnclave {
    NSLog(@"IS Simulator : %d", [Device isSimulator]);
    return [Device hasBiometrics] && ![Device isSimulator] ;
}

//To Check that this is this simulator
+(BOOL) isSimulator {
    return TARGET_OS_SIMULATOR == 1;
}

//Check that this device has Biometrics features available
+(BOOL) hasBiometrics {

    //Local Authentication Context
    LAContext *localAuthContext = [[LAContext alloc] init];
    NSError *error = nil;

    /// Policies can have certain requirements which, when not satisfied, would always cause
    /// the policy evaluation to fail - e.g. a passcode set, a fingerprint
    /// enrolled with Touch ID or a face set up with Face ID. This method allows easy checking
    /// for such conditions.
    BOOL isValidPolicy = [localAuthContext canEvaluatePolicy:LAPolicyDeviceOwnerAuthenticationWithBiometrics error:&error];

    if (isValidPolicy) {

        if (@available(ios 11.0, *)){
            if (error.code != kLAErrorBiometryNotAvailable){
                isValidPolicy = true;
            } else{
                isValidPolicy = false;
            }
        }else{
            if (error.code != kLAErrorTouchIDNotAvailable){
                isValidPolicy = true;
            }else{
                isValidPolicy = false;
            }
        }
        return isValidPolicy;
    }
    return isValidPolicy;
}

@end

If you want solution in Swift 4, then refer this link.

Solution in Swift 4

like image 114
technerd Avatar answered Nov 07 '22 17:11

technerd


For a developer, there is exactly one thing the Secure Enclave can do: Create and hold private keys for elliptic curve cryptography, and encrypt or decrypt data using these keys. On iOS 9, the attributes describing elliptic curve algorithms are not there - therefore, if you are running iOS 9, then you can assume the Secure Enclave is not there, because you cannot use it.

On iOS 10 and above, there is just one way to decide guaranteed correctly if the Secure Enclave is present: Create an elliptic curve encryption key in the Secure Enclave, as described by Apple's documentation. If this fails, and the error has a code of -4 = errSecUnimplemented, then there is no Secure Enclave.

If you insist on checking a list of devices, you only need the devices that are documented as having no Secure Enclave but are able to run iOS 10, because on iOS 9 it is never available.

like image 43
gnasher729 Avatar answered Nov 07 '22 17:11

gnasher729