Skip to content

MASTG-TEST-0270: References to APIs Detecting Biometric Enrollment Changes

Overview

This test checks whether the app fails to protect sensitive operations against unauthorized access following biometric enrollment changes. An attacker who obtains the device passcode could add a new fingerprint or facial representation via system settings and use it to authenticate in the app.

The test identifies the absence of the kSecAccessControlBiometryCurrentSet access control flag when storing sensitive items in the Keychain via SecAccessControlCreateWithFlags. This flag ensures that the associated Keychain item becomes inaccessible if the biometric database changes (e.g., when a new fingerprint or face is added). As a result, only users whose biometric data was enrolled at the time the item was created can unlock it, preventing unauthorized access through later-enrolled biometrics.

Steps

  1. Run a static analysis tool such as radare2 for iOS on the app binary and look for uses of SecAccessControlCreateWithFlags API with kSecAccessControlBiometryCurrentSet flag.

Observation

The output should contain a list of locations where relevant APIs are used.

Evaluation

The test fails if the app uses SecAccessControlCreateWithFlags with any flag except the kSecAccessControlBiometryCurrentSet flag for any sensitive data resource worth protecting.

Demos

MASTG-DEMO-0045: Uses of kSecAccessControlBiometryCurrentSet with r2