Bypassing the Touch ID security to unlock the iOS app


#1

So the app logged me out this morning, not sure why, so I logged back in via the email sent to me and this is when i noticed the Touch ID security feature to enter the app was switched off. I have always kept this switched on previously.

I turned Touch ID back on, closed the app and tested this again. When prompted to unlock Monzo using touch ID, i pressed cancel, and then log out. I then had to log back in via the email method, and again the touch ID had been switched off.

Therefore just to make the Monzo security team aware, this Touch ID security layer to unlock the app can be fairly easily bypassed: if someone had access to your phone unlocked (i realise this is unlikely, but can happen), and is able to obtain your relevant email address (which is fairly easy by searching the phone’s mail settings).


(Simon Turp) #2

I completely agree with this. We need to have a more secure method of authentication.


#3

I like the speed and simplicity of using Touch ID to open the app, I just don’t like how easily it can be circumvented on an unlocked phone.


(Bob) #4

I just noticed this very same issue on my iPhone; logging out and back in again disables ‘Touch ID for payments’ and ‘Require touch ID to unlock app’.

A quick search brought me here… any update yet? It seems that these security issues have been overlooked.


(Rika Raybould) #5

Touch ID for payments being disabled is expected. That falls back to requiring the card PIN or identity verification through support to perform those tasks. It’s similar on a technical level to how your phone requires the full password/passcode to unlock the first time after reboot.

As for Touch ID to unlock the app… that’s one of many issues with this feature. As it stands, the app unlock feature is only suitable as a basic privacy barrier.


(Alex Sherwood) #6

@BobT following on from Richard’s comments, that’s exactly how the Monzo team see this feature too…


(max_woollard_uk) #7

Another point just worth mentioning - apologies if its already been mentioned - I found another scenario where you can bypass the touch ID privacy layer

Found on iOS 10.2.1 - iPhone 6s

  • Send money to a contact
  • Sleep your phone at the screen that asks to select a category
  • Reopen the app and the touch ID modal will show with your the previous screen visible behind
  • Click cancel - you can now interact with the whole app

As mentioned this is only a privacy issue and you’re still required to authenticate with touch ID when sending payments but thought it was worth raising


(Andy Smart) #8

Thanks! We’ve actually fixed this one :sweat_smile: so you won’t be able to bypass like this in the 1.9.4 release, when that goes out. :lock: