闲谈

最近一直在追青云志,总觉得电视剧没有小说来的精彩。是的,大咖们演技堪称惊艳,剧情改编也很紧凑,但不得不说很多东西单靠演是达不到的,主人公每一刻的内心也只能在小说中才能看的贴切(为了装X,哥不惜二百两买了一沓正版典藏版)。

看过的童鞋知道,张小凡手中的法宝,是由摄魂与嗜血珠以张小凡精血为媒淬炼而成。而且此法宝,有一特大优秀品质,那就是除了与张小凡有血缘关系的人之外,即便你有通天本领也不能操控,忠诚如此夫复何求啊,说到这里大概就扯到正题了,对的,此法宝自带安全验证功能,类似我们今天的密码校验与 纹识别验证 功能。

指纹识别简析

苹果设计的iOS是以安全性为核心的,不管是沙盒机制,还是代码签名等,他们的最终目的都是为了安全。

iOS 安全架构图

自iPhone 5S始,苹果公司推出了全新生物安全识别技术—指纹识别验证(Touch ID)。使得我们可以更快、更轻松地对设备进行安全的访问。可贵的是,Touch ID做到了从任意角度读取指纹数据,克服了基于密码进行锁定的不便。除此之外,苹果还加入必须进行密码校验的场景,进一步确保安全,例如【1】:

  • 刚开机或重启;

  • 超过 48 小时未解锁设备;

  • 设备收到了远程锁定命令;

  • 五次未能成功匹配指纹;

  • 进入Touch ID设置模块或更新新指纹;

最重要的一点,苹果公司提供Touch ID给第三方应用程序使用,程序只会收到认证是否成功的通知,而无法访问 Touch ID 或与已注册指纹相关的数据,这一点对安全而言尤为重要。

为了获得更高的安全性,很多银行类、支付类APP都集成了指纹、手势等二次验证功能。今天我们就重点来谈谈Touch ID集成到APP的具体流程及实现。

流程分析

指纹登录流程:

首次登录.png

二次启动后识别登录:

指纹验证登录.png

使用过指纹登录的朋友,大概都知道上面的流程。这个业务实现的难点在于,首次登录成功并启用指纹授权—>退出APP后—>二次启动APP,如何判断是否要启用指纹登录验证呢?这时就需要我们对数据持久化和数据共享有较深的理解,很多APP开发者,在开发 登录保持 的时候,大都会使用持久化数据的方式,存储 成功登录 的标记。但对于安全性较高的APP,每次重新启动时都会校验登录状态,单靠持久化数据是不够的。

我的解决方案是:

通过三个数据进行 登录保持 ,

  • loginState:持久化数据,用于存储用户登录成功,未激活状态;

  • startAutoLoginState:持久化数据,是否开启指纹识别授权;

  • isAppCurrentLoginState:共享数据,登录激活状态,该状态的特点,每次重新启动APP都会重新初始化数据。

首次登录:

三个数据变化情况,

状态 loginState startAutoLoginState isAppCurrentLoginState
登录之前 null或NO null或NO NO
登录成功 YES null或NO YES
启用指纹授权 YES YES YES
不启用授权 YES NO YES

二次验证登录(指纹登录):

三个数据变化情况,

  • 如果loginState和startAutoLoginState同为YES,即可进行指纹登录验证,以下为数据变化情况;

状态 loginState startAutoLoginState isAppCurrentLoginState
验证之前 YES YES NO
验证失败 NO YES NO
验证成功 YES YES YES
  • 否则,重新登录。

核心代码实现

判断设备是否支持指纹识别

/**
 * 判断设备是否支持指纹识别
 */ - (IBAction)loginBtnAction:(UIButton *)sender
{

    [[NSUserDefaults standardUserDefaults] setObject:[NSNumber numberWithBool:YES] forKey:@"loginState"];

    EVNHelper *helper = [EVNHelper shareHelper];
    helper.isAppCurrentLoginState = YES;

    LAContext *context = [[LAContext alloc] init]; // 初始化上下文对象 NSError *error = nil; // 判断设备是否支持指纹识别功能 if ([context canEvaluatePolicy:LAPolicyDeviceOwnerAuthenticationWithBiometrics error:&error])
    { // 支持指纹验证 UIAlertController *alertController = [UIAlertController alertControllerWithTitle:@"登录成功!" message:@"是否启用指纹登录" preferredStyle:UIAlertControllerStyleAlert];

        __weak typeof (self) weakSelf = self; UIAlertAction *cancelAction = [UIAlertAction actionWithTitle:@"稍后" style:UIAlertActionStyleCancel handler:^(UIAlertAction * _Nonnull action) {

            [[NSUserDefaults standardUserDefaults] setObject:[NSNumber numberWithBool:NO] forKey:@"startAutoLoginState"];
            weakSelf.transLoginStateBlock(); // 回传 [self dismissViewControllerAnimated:YES completion:nil];
        }]; UIAlertAction *startUseAction = [UIAlertAction actionWithTitle:@"启用" style:UIAlertActionStyleDestructive handler:^(UIAlertAction * _Nonnull action) {

            [[NSUserDefaults standardUserDefaults] setObject:[NSNumber numberWithBool:YES] forKey:@"startAutoLoginState"];
            weakSelf.transLoginStateBlock(); // 回传 [self dismissViewControllerAnimated:YES completion:nil];

        }];
        [alertController addAction:cancelAction];
        [alertController addAction:startUseAction];

        [self presentViewController:alertController animated:YES completion:nil];
    } else {
        [[NSUserDefaults standardUserDefaults] setObject:[NSNumber numberWithBool:NO] forKey:@"startAutoLoginState"]; self.transLoginStateBlock(); // 回传 [self dismissViewControllerAnimated:YES completion:nil];
    }

}

指纹登录验证

/**
 * 指纹登录验证
 */ - (void)loadAuthentication
{
    __weak typeof(self) weakSelf = self;

    LAContext *myContext = [[LAContext alloc] init]; // 这个属性是设置指纹输入失败之后的弹出框的选项 myContext.localizedFallbackTitle = @"忘记密码"; NSError *authError = nil; NSString *myLocalizedReasonString = @"请按住Home键完成验证"; // MARK: 判断设备是否支持指纹识别 if ([myContext canEvaluatePolicy:LAPolicyDeviceOwnerAuthenticationWithBiometrics error:&authError])
    {
        [myContext evaluatePolicy:LAPolicyDeviceOwnerAuthenticationWithBiometrics localizedReason:myLocalizedReasonString reply:^(BOOL success, NSError * _Nullable error) { if(success)
            { NSLog(@"指纹认证成功");

                weakSelf.helper.isAppCurrentLoginState = YES;

                weakSelf.logoutBtnAction.hidden = NO;
                weakSelf.userInfo.text = @"仁伯安";
            } else {
                weakSelf.helper.isAppCurrentLoginState = NO; NSLog(@"指纹认证失败,%@",error.description); NSLog(@"%ld", (long)error.code); // 错误码 error.code switch (error.code)
                { case LAErrorAuthenticationFailed: // Authentication was not successful, because user failed to provide valid credentials { NSLog(@"授权失败"); // -1 连续三次指纹识别错误 } break; case LAErrorUserCancel: // Authentication was canceled by user (e.g. tapped Cancel button) { NSLog(@"用户取消验证Touch ID"); // -2 在TouchID对话框中点击了取消按钮 } break; case LAErrorUserFallback: // Authentication was canceled, because the user tapped the fallback button (Enter Password) {
                        [[NSOperationQueue mainQueue] addOperationWithBlock:^{ NSLog(@"用户选择输入密码,切换主线程处理"); // -3 在TouchID对话框中点击了输入密码按钮 }];

                    } break; case LAErrorSystemCancel: // Authentication was canceled by system (e.g. another application went to foreground) { NSLog(@"取消授权,如其他应用切入,用户自主"); // -4 TouchID对话框被系统取消,例如按下Home或者电源键 } break; case LAErrorPasscodeNotSet: // Authentication could not start, because passcode is not set on the device. { NSLog(@"设备系统未设置密码"); // -5 } break; case LAErrorTouchIDNotAvailable: // Authentication could not start, because Touch ID is not available on the device { NSLog(@"设备未设置Touch ID"); // -6 } break; case LAErrorTouchIDNotEnrolled: // Authentication could not start, because Touch ID has no enrolled fingers { NSLog(@"用户未录入指纹"); // -7 } break; #if __IPHONE_OS_VERSION_MAX_ALLOWED >= __IPHONE_9_0 case LAErrorTouchIDLockout: //Authentication was not successful, because there were too many failed Touch ID attempts and Touch ID is now locked. Passcode is required to unlock Touch ID, e.g. evaluating LAPolicyDeviceOwnerAuthenticationWithBiometrics will ask for passcode as a prerequisite 用户连续多次进行Touch ID验证失败,Touch ID被锁,需要用户输入密码解锁,先Touch ID验证密码 { NSLog(@"Touch ID被锁,需要用户输入密码解锁"); // -8 连续五次指纹识别错误,TouchID功能被锁定,下一次需要输入系统密码 } break; case LAErrorAppCancel: // Authentication was canceled by application (e.g. invalidate was called while authentication was in progress) 如突然来了电话,电话应用进入前台,APP被挂起啦"); { NSLog(@"用户不能控制情况下APP被挂起"); // -9 } break; case LAErrorInvalidContext: // LAContext passed to this call has been previously invalidated. { NSLog(@"LAContext传递给这个调用之前已经失效"); // -10 } break; #else #endif default:
                    {
                        [[NSOperationQueue mainQueue] addOperationWithBlock:^{ NSLog(@"其他情况,切换主线程处理");
                        }]; break;
                    }
                }
            }
        }];
    } else { NSLog(@"设备不支持指纹"); NSLog(@"%ld", (long)authError.code);
        weakSelf.helper.isAppCurrentLoginState = NO; switch (authError.code)
        { case LAErrorTouchIDNotEnrolled:
            { NSLog(@"Authentication could not start, because Touch ID has no enrolled fingers"); break;
            } case LAErrorPasscodeNotSet:
            { NSLog(@"Authentication could not start, because passcode is not set on the device"); break;
            } default:
            { NSLog(@"TouchID not available"); break;
            }
        }
    }
}

 

参考文献:

【1】 iOS security guide ;

【2】 Apple Objective-C ;

【3】 Apple Swift API .

 

来自:http://www.jianshu.com/p/67fd93408517