Skip to content

MASTG-TEST-0268: References to APIs Allowing Fallback to Non-Biometric Authentication

Overview

This test checks if the app uses authentication mechanisms that rely on the user's passcode instead of biometrics or allow fallback to device passcode when biometric authentication fails. Specifically, it checks for use of kSecAccessControlDevicePasscode or kSecAccessControlUserPresence.

The kSecAccessControlUserPresence flag is described in the Apple docs as the option that's typically used as it "lets the system choose a mechanism, depending on the current situation". However, this allows fallback to passcode in some cases (e.g. when biometrics aren't configured yet), which is considered weaker than requiring biometrics alone because passcodes are more susceptible to compromise (e.g., through shoulder surfing).

Note: This test does not consider LAPolicy.deviceOwnerAuthentication for LocalAuthentication flows because that shouldn't be used on its own. See References to APIs for Event-Bound Biometric Authentication.

Steps

  1. Run a static analysis scan using radare2 for iOS to detect usage of SecAccessControlCreateWithFlags with the kSecAccessControlUserPresence or kSecAccessControlDevicePasscode flags.

Observation

The output should contain a list of locations where relevant APIs are used.

Evaluation

The test fails if the app uses SecAccessControlCreateWithFlags with the kSecAccessControlUserPresence or kSecAccessControlDevicePasscode flags for any sensitive data resource that needs protection.

The test passes only if the app uses SecAccessControlCreateWithFlags with stricter flags, such as kSecAccessControlBiometryAny, kSecAccessControlBiometryCurrentSet to enforce biometric-only access for any sensitive data resource that needs protection (being kSecAccessControlBiometryCurrentSet the one considered the most secure).

Note: Using kSecAccessControlUserPresence or kSecAccessControlDevicePasscode is not inherently a vulnerability, but in high-security applications (e.g., finance, government, health), their use can represent a weakness or misconfiguration that reduces the intended security posture. So this issue better categorized as a security weakness or hardening issue, not a critical vulnerability.

Demos

MASTG-DEMO-0043: Uses of kSecAccessControlUserPresence with r2