Biometric authentication uses evaluatePolicy method #1

Tachibanaff · 2024-03-14T19:11:54Z

The application uses biometric authentication as an alternative way (apart from pincode) to authenticate user and grant access to the main functionality.

ios-authorization/Sources/PinCode/Common/Services/BiometryHelper.swift

Line 55 in 2c4f03d

    
           localAuthenticationContext.evaluatePolicy(.deviceOwnerAuthenticationWithBiometrics, localizedReason: reason) { success, evaluateError in

As described in OWASP MASTG:

The evaluatePolicy function returns a boolean value indicating whether the user has authenticated successfully.

evaluatePolicy method is bypassable with the usage of RE tools, such as objection

OWASP MASVS 4.8, MSTG-AUTH-8

Biometric authentication, if any, is not event-bound (i.e. using an API that simply returns "true" or "false"). Instead, it is based on unlocking the keychain/keystore.

Suggestion
As described in OWASP MASTG (again):

The iOS keychain APIs can (and should) be used to implement local authentication. During this process, the app stores either a secret authentication token or another piece of secret data identifying the user in the keychain. In order to authenticate to a remote service, the user must unlock the keychain using their passphrase or fingerprint to obtain the secret data.

The keychain allows saving items with the special SecAccessControl attribute, which will allow access to the item from the keychain only after the user has passed Touch ID authentication (or passcode, if such a fallback is allowed by attribute parameters).

See more details:

The text was updated successfully, but these errors were encountered:

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Biometric authentication uses evaluatePolicy method #1

Biometric authentication uses evaluatePolicy method #1

Biometric authentication uses evaluatePolicy method #1

Biometric authentication uses evaluatePolicy method #1

Comments