Is it safe to let apps use Touch ID on an iOS device?
Solution 1:
The application does not have access to the fingerprint data stored on the device. The API provided by Apple tells the app if the auth process was successful by a simple yes/no value. No hash is provided. Here's the documentation.
Also the fingerprint data is stored in the device's "Secure Enclave" and is not accessible.
The Secure Enclave is part of the A7 and newer chips used for Touch ID. Within the Secure Enclave, the fingerprint data is stored in an encrypted form which - according to Apple - can only be decrypted by a key available by the Secure Enclave thus making fingerprint data walled off from the rest of the A7 Chip and the rest of iOS.
Source: The iPhone Wiki
Solution 2:
Yes, it is perfectly safe to use Touch ID on iPhone.
Apps that uses Touch ID does not have access to your fingerprint, nor any hash generated from your fingerprint. The app does not actually process the fingerprint matching itself, rather, it calls the Touch ID API (system) which will then send the result back to the app. So, all the app will receive is either true
or false
, depending on whether it is successful.
Thus, the app does not need to have access to any kind of hash and the whole Touch ID process is done by your iPhone's system (iOS), similar to how you unlock your phone with Touch ID.
As 9to5mac explains:
When a developer wants an app user to authenticate, they don’t get involved in the nitty-gritty of how that authentication is performed. They just use code that asks iOS to do it for them – what Apple calls the Local Authentication framework.
(emphasis mine)
And AppleInsider explains:
Apple has kept Touch ID secure by not providing apps access to any of the fingerprint data stored on an iPhone's secure enclave. The prompt that appears is the same as the one Apple already uses to authorize iTunes and App Store purchases.
(emphasis mine)