Skip to content

MASTG-TEST-0246: Runtime Use of Secure Screen Lock Detection APIs

Overview

This test is the dynamic counterpart to References to APIs for Detecting Secure Screen Lock.

In this case we'll hook LAContext.canEvaluatePolicy(.deviceOwnerAuthentication) API or data stored with the kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly attribute.

Steps

  1. Use Installing Apps to install the app.
  2. Use Method Hooking to hook the relevant APIs.
  3. Exercise the app extensively to trigger as many flows as possible and enter sensitive data wherever you can.

Observation

The output should contain a list of locations where relevant APIs are used.

Evaluation

The test case fails if an app doesn't use any API to verify the secure screen lock presence.

Demos

MASTG-DEMO-0026: Runtime Use of LAContext.canEvaluatePolicy with Frida