Skip to content

MASTG-TECH-0135: Bypassing Biometric Authentication

This technique can typically be used to bypass biometric authentication in apps that perform it by only returning a success or failure result (e.g., if authenticated {...} check) instead of using the SecAccessControlCreateWithFlags Keychain API and requiring user presence.

Method for Jailbroken and Non-jailbroken Devices

If you have a jailbroken device with frida-server installed, you can bypass biometric authentication by running objection with the ios ui biometrics_bypass command:

objection -n "MASTestApp" start
ios ui biometrics_bypass

See the sample output below for using this technique against the Runtime Use of LAContext.evaluatePolicy with Frida demo app.

Method for Non-jailbroken Devices

objection cannot attach to apps on non-jailbroken devices unless the app has been repackaged with the get-task-allow flag. Debugging describes how to re-sign an app with this flag. After re-signing, you can use the same method as with jailbroken devices.