> And how exactly will they do that on a non-jailbroken fully updated iOS installation?
This is irrelevant because banks need to support people using older versions of iOS as well.
> Not to mention that iOS apps keep those kinds of secrets in the Secure Enclave
iOS doesn’t store tokens in the Secure Enclave. It can generate keys and use them to sign things, but keys and tokens are different things. The Secure Enclave isn’t a generic secret store, it has very specific, limited functionality. Are you perhaps mixing it up with the keychain?
Also, you didn’t answer the question:
> What kind of token? How does it obtain it?
It’s still unclear whether you are thinking of a static token bundled with the application or a per-user token obtained during first use. In the former case attackers can just download the IPA and extract it themselves without even thinking about attacking a user’s device. In the latter case, you need a mechanism to distribute tokens to untrusted devices, so that is the most likely entry point for an attack, not trying to obtain an existing token after the fact.
This is irrelevant because banks need to support people using older versions of iOS as well.
> Not to mention that iOS apps keep those kinds of secrets in the Secure Enclave
iOS doesn’t store tokens in the Secure Enclave. It can generate keys and use them to sign things, but keys and tokens are different things. The Secure Enclave isn’t a generic secret store, it has very specific, limited functionality. Are you perhaps mixing it up with the keychain?
Also, you didn’t answer the question:
> What kind of token? How does it obtain it?
It’s still unclear whether you are thinking of a static token bundled with the application or a per-user token obtained during first use. In the former case attackers can just download the IPA and extract it themselves without even thinking about attacking a user’s device. In the latter case, you need a mechanism to distribute tokens to untrusted devices, so that is the most likely entry point for an attack, not trying to obtain an existing token after the fact.