Skip to content

MASTG-TEST-0248: References to APIs for Detecting Secure Screen Lock

Overview

This test verifies that an app is running on a device with a secure screen lock (e.g. a passcode).

On iOS, apps can determine whether a secure screen lock is set using the LocalAuthentication framework. Specifically, the LAContext.canEvaluatePolicy(_:error:) method with the .deviceOwnerAuthentication or .deviceOwnerAuthenticationWithBiometrics policy can be used to check if authentication mechanisms, including a passcode, are available.

Apps leveraging the Keychain Services API can require passcode authentication before accessing sensitive data using the kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly attribute.

Steps

  1. Use Exploring the App Package to extract the relevant binaries from app package.
  2. Use Static Analysis on iOS to look for the relevant APIs in the app binaries.

Observation

The output should contain a list of locations where relevant APIs are used.

Evaluation

The test case fails if an app doesn't use any API to verify the secure screen lock presence.

Demos

MASTG-DEMO-0024: Uses of LAContext.canEvaluatePolicy with r2