Skip to content

OWASP Mobile Application Security

MASTG-TEST-0246: Runtime Use of Secure Screen Lock Detection APIs

OWASP/owasp-mastg

MASTG-TEST-0246: Runtime Use of Secure Screen Lock Detection APIs

Overview¶

This test is the dynamic counterpart to References to APIs for Detecting Secure Screen Lock.

Steps¶

Run a dynamic analysis tool like Frida for iOS and look for uses of LAContext.canEvaluatePolicy(.deviceOwnerAuthentication) API or data stored with kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly attribute.

Observation¶

The output should contain a list of locations where relevant APIs are used.

Evaluation¶

The test fails if an app doesn't use any API to verify the secure screen lock presence.

Demos¶

MASTG-DEMO-0026: Runtime Use of LAContext.canEvaluatePolicy with Frida