MASTG-TEST-0270: References to APIs Detecting Biometric Enrollment Changes
Overview¶
This test checks whether the app fails to protect sensitive operations against unauthorized access following biometric enrollment changes. An attacker who obtains the device passcode could add a new fingerprint or facial representation via system settings and use it to authenticate in the app.
The test identifies the absence of the kSecAccessControlBiometryCurrentSet
access control flag when storing sensitive items in the Keychain via SecAccessControlCreateWithFlags
. This flag ensures that the associated Keychain item becomes inaccessible if the biometric database changes (e.g., when a new fingerprint or face is added). As a result, only users whose biometric data was enrolled at the time the item was created can unlock it, preventing unauthorized access through later-enrolled biometrics.
Steps¶
- Run a static analysis tool such as radare2 for iOS on the app binary and look for uses of
SecAccessControlCreateWithFlags
API withkSecAccessControlBiometryCurrentSet
flag.
Observation¶
The output should contain a list of locations where relevant APIs are used.
Evaluation¶
The test fails if the app uses SecAccessControlCreateWithFlags
with any flag except the kSecAccessControlBiometryCurrentSet
flag for any sensitive data resource worth protecting.
Demos¶
MASTG-DEMO-0045: Uses of kSecAccessControlBiometryCurrentSet with r2