Skip to content

MASTG-TEST-0329: References to APIs Enforcing Authentication without Explicit User Action

Overview

This test checks if the app enforces biometric authentication ( Biometric Authentication) without requiring explicit user action. When using android.hardware.biometrics.BiometricPrompt API (or its Jetpack counterpart androidx.biometric.BiometricPrompt that backward compatibility to API level 23), the setConfirmationRequired() method in BiometricPrompt.Builder controls whether the user must explicitly confirm their authentication, which is enforced by default.

Steps

  1. Run a static analysis ( Static Analysis on Android) tool to identify instances of the relevant APIs.

Observation

The output should include a list of locations where the relevant APIs are used.

Evaluation

The test fails if the app sets setConfirmationRequired() to false for sensitive operations that require explicit user authorization.

The test passes if the app either:

  • Sets setConfirmationRequired() to true explicitly for sensitive operations, or
  • Relies on the default behavior, which requires confirmation.

Note

Using setConfirmationRequired(false) is not inherently a vulnerability. It may be appropriate for low-risk operations, but for sensitive operations like payments or data access, the app should use setConfirmationRequired(true) or rely on the default behavior to ensure the user explicitly confirms the authentication.

Demos

MASTG-DEMO-0092: Uses of BiometricPrompt without Explicit User Confirmation with semgrep