MASTG-TEST-0268: References to APIs Allowing Fallback to Non-Biometric Authentication
Content in BETA
This content is in beta and still under active development, so it is subject to change any time (e.g. structure, IDs, content, URLs, etc.).
Draft MASTG-TEST
This test hasn't been created yet and it's in draft. But you can check its status or start working on it yourself. If the issue has not yet been assigned, you can request to be assigned to it and submit a PR with the new content for that test by following our guidelines.
Check our GitHub Issues for MASTG-TEST-0268
If an issue doesn't exist yet, please create one and assign it to yourself or request to be assigned to it.
Draft Description¶
This test statically checks if the app uses the Keychain API to access sensitive resources that should be protected by user authentication (e.g., tokens, keys) relying on the user's passcode instead of biometrics or allowing fallback to device passcode when biometric authentication fails.
For more details, check the associated weakness: Fallback to Non-biometric Credentials Allowed for Sensitive Transactions
Demos¶
MASTG-DEMO-0043: Uses of kSecAccessControlUserPresence with r2