Touch ID

The iPhone 5s and newer, iPad Air 2 and newer, and iPad mini 3 and newer comes equipped with Touch ID, a fingerprint scanner. The sensor is bound to each device uniquely. This means that Touch ID sensors seem to be tied to specific devices somehow similar to HDMI protected media path.

However there is a private API for it; its dylib file is in Xcode 5 in the path

As of iOS 8, the dylib has been removed from the iOS SDK, and has been replaced by a stub (containing symbols, but no code). The dylib can still be obtained easily from the dyld_shared_cache on the device. Code is ARM64, but can be disassembled by newer versions of IDA (6.4) or NewOSXBook.com's jtool.

Fingerprint Registration Process
Apple has applied for belows process to be patented for TouchID in Apple Patent Application 20130308838.


 * The fingerprint sensor detects an object to scan (activated via the 'metal ring' around the home button).
 * The fingerprint sensor starts the scan - basically it takes a picture of the finger (UIImage).
 * The picture is transferred to the Secure Enclave Processor (SEP) over an an encrypted dataline (similar to HDMI protected media path).
 * The SEP stores this picture as a so-called template. Then it constructs a lower-resolution version: a histogram of the most common ridge angles storing it together with the higher resolution template in the Secure Enclave.
 * The SEP sends the lower-resolution version to the main CPU.
 * The main CPU stores the lower-resolution version in a database (for later authentication).

Fingerprint Authentication Process

 * The fingerprint sensor detects an object to scan (activated via the 'metal ring' around the home button).
 * The fingerprint sensor starts the scan - basically it takes a picture of the finger (UIImage).
 * The picture is transferred to the Secure Enclave Processor (SEP) over an an encrypted dataline (similar to HDMI protected media path).
 * The SEP constructs a lower resolution version: a histogram of the most common ridge angles.
 * The SEP sends the lower resolution version to the main CPU.
 * The main compares the the lower resolution version for possible matches in its database.
 * The main sends possible matches back to SEP or the authentication is rejected if no matches are found.
 * The SEP takes the matches received by the main CPU and compares the initial image to high resolution versions of the received matches from main CPU.
 * Access is granted in case of positive comparison or rejected in case of negative comparison.

Inferred Information
Based on a string dump, here is what is implied.


 * Its codename is "mesa"
 * It communicates over XPC to a binary that handles access to it
 * There are kernel extensions to interface with it
 * The kernel extension communicates to the secure keystore to set and verify fingerprints
 * The fingerprint scanner calibrates itself and has upgradable firmware
 * The fingerprint scanner uses normal image formats (i.e. UIImage) before setting and verifying fingerprints
 * There's biometric lockout as well as passcode lockout
 * The A7 chip contains a secure element marketed as the Secure Enclave. The string dump refers to SEP, the Secure Element Protocol. This chip is most likely one sourced from NXP. It contains physical security to ensure that the only operations of the chip involve setting new fingerprints and verifying fingerprints against the ones stored in it (i.e. challenge-response). This way, the fingerprint data cannot be extracted from it.

String Dump
Below there is a full string dump of the framework, which can hint at its functionalities.