Skip to content

MASTG-TEST-0248: References to APIs for Detecting Secure Screen Lock

Overview

This test verifies that an app is running on a device with a secure screen lock (e.g. a passcode).

On iOS, apps can determine whether a secure screen lock is set using the LocalAuthentication framework. Specifically, the LAContext.canEvaluatePolicy(_:error:) method with the .deviceOwnerAuthentication or .deviceOwnerAuthenticationWithBiometrics policy can be used to check if authentication mechanisms, including a passcode, are available.

Apps leveraging the Keychain Services API can require passcode authentication before accessing sensitive data using the kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly attribute.

Steps

  1. Run a static analysis tool such as radare2 for iOS on the app binary and look for uses of LAContext.canEvaluatePolicy(.deviceOwnerAuthentication) API, or data stored with kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly attribute.

Observation

The output should contain a list of locations where relevant APIs are used.

Evaluation

The test fails if an app doesn't use any API to verify the secure screen lock presence.

Demos

MASTG-DEMO-0024: Uses of LAContext.canEvaluatePolicy with r2