MASTG-TEST-0269: Runtime Use Of APIs Allowing Fallback to Non-Biometric Authentication

Overview

This test is the dynamic counterpart to References to APIs Allowing Fallback to Non-Biometric Authentication.

Steps

1. Use runtime method hooking (see Method Hooking) and look for uses of SecAccessControlCreateWithFlags and specific flags.

Observation

The output should contain a list of locations where the SecAccessControlCreateWithFlags function is called including all used flags.

Evaluation

The test fails if the app uses SecAccessControlCreateWithFlags with the kSecAccessControlUserPresence or kSecAccessControlDevicePasscode flags for any sensitive data resource that needs protection.

The test passes only if the app uses SecAccessControlCreateWithFlags with stricter flags, such as kSecAccessControlBiometryAny, kSecAccessControlBiometryCurrentSet to enforce biometric-only access for any sensitive data resource that needs protection (being kSecAccessControlBiometryCurrentSet the one considered the most secure).

Demos

MASTG-DEMO-0044: Runtime Use of kSecAccessControlUserPresence with Frida