MASTG-TEST-0269: Runtime Use Of APIs Allowing Fallback to Non-Biometric Authentication

Overview

This test is the dynamic counterpart to References to APIs Allowing Fallback to Non-Biometric Authentication.

Steps

1. Use runtime method hooking (see Method Hooking) and look for uses of SecAccessControlCreateWithFlags and specific flags.

Observation

The output should contain a list of locations where the SecAccessControlCreateWithFlags function is called including all used flags.

Evaluation

The test case fails if the app uses SecAccessControlCreateWithFlags with the kSecAccessControlUserPresence or kSecAccessControlDevicePasscode flags for any sensitive data resource that needs protection.

Demos

MASTG-DEMO-0044: Runtime Use of kSecAccessControlUserPresence with Frida