Skip to content

MASTG-TEST-0270: References to APIs Detecting Biometric Enrollment Changes

Overview

This test checks whether the app fails to protect sensitive operations against unauthorized access following biometric enrollment changes. An attacker who obtains the device passcode could add a new fingerprint or facial representation via system settings and use it to authenticate in the app.

The test identifies the absence of the kSecAccessControlBiometryCurrentSet access control flag when storing sensitive items in the Keychain via SecAccessControlCreateWithFlags. This flag ensures that the associated Keychain item becomes inaccessible if the biometric database changes (e.g., when a new fingerprint or face is added). As a result, only users whose biometric data was enrolled at the time the item was created can unlock it, preventing unauthorized access through later-enrolled biometrics.

Steps

  1. Use Exploring the App Package to extract the relevant binaries from app package.
  2. Use Static Analysis on iOS to look for the relevant APIs in the app binaries.

Observation

The output should contain a list of locations where relevant APIs are used.

Evaluation

The test case fails if the app uses SecAccessControlCreateWithFlags with any flag except the kSecAccessControlBiometryCurrentSet flag for any sensitive data resource worth protecting.

Demos

MASTG-DEMO-0045: Uses of kSecAccessControlBiometryCurrentSet with r2