MASTG-TEST-0267: Runtime Use Of Event-Bound Biometric Authentication
Overview¶
This test is the dynamic counterpart to References to APIs for Event-Bound Biometric Authentication.
Steps¶
- Use runtime method hooking (see Method Hooking) and look for uses of LAContext.evaluatePolicy(...) and
SecAccessControlCreateWithFlags, including all flags.
Observation¶
The output should contain a list of locations where the LAContext.evaluatePolicy and SecAccessControlCreateWithFlags functions are called including all used flags.
Evaluation¶
The test fails if for each sensitive data resource worth protecting:
LAContext.evaluatePolicyis used explicitly.- There are no calls to
SecAccessControlCreateWithFlagsrequiring user presence with any of the possible flags.
Demos¶
MASTG-DEMO-0042: Runtime Use of LAContext.evaluatePolicy with Frida