TOUCH ID Security Issue

Hi,

I have tried a add on my iPhone a finger for Touch ID. On all my applications using Touch ID, I was not possible to use Touch ID again since I re entered my password -> normal security behavior.
On Cryptomator I can still unlock my vault without any warning. I think it is possible security issue…

Hi,
I would like to help you, but I’m not sure if I understand your problem correct.
So, you deactivated the fingerprint authentication in iOS and are still able to unlock your vault with fingerprint? Is that what you’re saying?

Hi Michael,

I have noticed that If I modify my fingerprints on my iPhone (Adding a finger for exemple), I can unlock Cryptomator with the new finger without any warning. On all my applications, I receive a warning saying that Touch ID has been modified and I need to enter my password to reactivate Touch ID.
I agree that a hacker need a physical access to the unlocked iPhone but it could happen in 10 seconds. I broke my screen last month and when I came to a store to have it repaired, the guy asked me to unlock my phone to make some tests (I knew this guy so it was OK)

Thank you for reporting this! We’ll look into it.

1 Like

Hi @tobihagemann. Here is an article to explain the problem still in the current iOS version : https://swiftrocks.com/detecting-touchid-fingerprint-changes
If someone has a physical access to the iOS device, the application become unsafe

Thank you again for reminding us about this issue! Since this issue does not violate our security target (we are protecting the files in the cloud, we are not protecting the device) and we were working on a million things for this big release, we lost focus on this issue. We’ll schedule it for the next update because you are absolutely right that it should be fixed.

Hello @tobihagemann.
It would be sad that a local breach could weak your cloud protection.
I understand you are a small team and you have done such a great job :+1:
Thanks for your answer and good luck for next release

1 Like
© 2020 Skymatic GmbH • Privacy PolicyImpressum