Skip to content

MASTG-TEST-0248: References to APIs for Detecting Secure Screen Lock

Content in BETA

This content is in beta and still under active development, so it is subject to change any time (e.g. structure, IDs, content, URLs, etc.).

Send Feedback

Overview

This test verifies that an app is running on a device with a secure screen lock (e.g. a passcode).

On iOS, apps can determine whether a secure screen lock is set using the LocalAuthentication framework. Specifically, the LAContext.canEvaluatePolicy(_:error:) method with the .deviceOwnerAuthentication or .deviceOwnerAuthenticationWithBiometrics policy can be used to check if authentication mechanisms, including a passcode, are available.

Apps leveraging the Keychain Services API can require passcode authentication before accessing sensitive data using the kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly attribute.

Steps

  1. Run a static analysis tool such as radare2 for iOS on the app binary and look for uses of LAContext.canEvaluatePolicy(.deviceOwnerAuthentication) API, or data stored with kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly attribute.

Observation

The output should contain a list of locations where relevant APIs are used.

Evaluation

The test fails if an app doesn't use any API to verify the secure screen lock presence.

Demos

MASTG-DEMO-0024: Uses of LAContext.canEvaluatePolicy with r2