Platform

android

MASVS v1 MSTG-AUTH-1 MSTG-STORAGE-11

MASVS v2 MASVS-AUTH-2

Last updated: May 08, 2023

Testing Confirm Credentials

Overview

Static Analysis

Make sure that the unlocked key is used during the application flow. For example, the key may be used to decrypt local storage or a message received from a remote endpoint. If the application simply checks whether the user has unlocked the key or not, the application may be vulnerable to a local authentication bypass.

Dynamic Analysis

Validate the duration of time (seconds) for which the key is authorized to be used after the user is successfully authenticated. This is only needed if setUserAuthenticationRequired is used.