KB_180034: Unable to initialize secure storage after upgrading DIGIPASS for Apps/Mobile on iOS2/27/2017 12:23:04 PM
After upgrading to DIGIPASS for Apps or DIGIPASS for Mobile version >= 4.10 (from a version <= 4.9.x) on iOS, it is not possible open the secure storage: A secureStorageSDKException is thrown with error code -4305 when calling SecureStorageSDK.initWithFileName:useFingerPrint:andIterationNumber.
Problem symptoms / details.
This issue typically only occurs on devices that are used for (upgrade) testing. The explanation can be found below.
Since DIGIPASS for Apps 4.10 (and DIGIPASS for Mobile 4.10), the White-Box Cryptography (WBC) feature has been introduced. A new WBC SDK was created and several SDKs have been updated to secure sensitive data with WBC.
On iOS, the Device Binding SDK has been updated to encrypt the device fingerprint stored in the iOS Keychain (for security reasons, because on a jailbroken device, the data contained in the iOS Keychain can be extracted).
This will lead to issues opening the secure storage in the scenario below:
1. Let’s say, a device fingerprint A is created with DIGIPASS For Apps/Mobile <= 4.9.x. This fingerprint is added to the iOS keychain.
2. Now this App is upgraded to DIGIPASS for Apps/Mobile >=4.10. As a result, the fingerprint already present in the iOS keychain will be migrated to a device fingerprint XA (encrypted version of the fingerprint)
3. If DIGIPASS for Apps/Mobile >= 4.10 is uninstalled and DIGIPASS for Apps/Mobile <= 4.9 is reinstalled, the encrypted device fingerprint (XA) is still in the iOS Keychain.
4. DIGIPASS for Apps/Mobile <= 4.9 does not know that XA is encrypted and will try to use it.
A device fingerprint in clear text and an encrypted device fingerprint do not have the same length.
As a result, DIGIPASS for Apps/Mobile <= 4.9 will use only a part of XA (XA_Partial).
5. So during activation, DIGIPASS for Apps/Mobile <= 4.9 will use XA_Partial to encrypt the storage. This will succeed and the DIGIPASS will be operational.
6. After an update, DIGIPASS for Apps/Mobile >= 4.10 will try to decrypt the storage with XA instead of XA_Partial (as it is aware of the encryption). This will fail and results in a secureStorageSDKException with error code -4305.
Note that DIGIPASS FOR APPS is backward compatible, not forward compatible.
Two workarounds exist and one of these needs to be executed before each migration test:
1. Perform a factory reset to clean the iOS Keychain.
2. Reset the iOS keychain programmatically by using the “deleteDeviceFingerPrint” method of Device Binding SDK iOS.
Applies to: DIGIPASS for Mobile and DIGIPASS for Apps
KB 180034– 27/02/2017
© 2016 VASCO Data Security. All rights reserved.