Skip to content

Port MASTG-TEST-0064: Testing Local Authentication (ios) #3256

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 39 commits into from
May 30, 2025
Merged

Port MASTG-TEST-0064: Testing Local Authentication (ios) #3256

merged 39 commits into from
May 30, 2025

Conversation

serek8
Copy link
Collaborator

@serek8 serek8 commented Apr 18, 2025
edited by cpholguera
Loading

This PR closes #2950

Deprecates:

  • MASTG-TEST-0064

Ports MASWE-0044 Biometric Authentication is Event-bound:

  • MASTG-TEST-0266
  • MASTG-TEST-0267
  • MASTG-DEMO-0041
  • MASTG-DEMO-0042

Ports MASWE-0045 Fallback to Non-biometric Credentials Allowed for Sensitive Transactions:

  • MASTG-TEST-0268
  • MASTG-TEST-0269
  • MASTG-DEMO-0043
  • MASTG-DEMO-0044

Port MASWE-0046 Crypto Keys Not Invalidated on New Biometric Enrollment:

  • MASTG-TEST-0270
  • MASTG-TEST-0271
  • MASTG-DEMO-0045
  • MASTG-DEMO-0046

Not ported: ⚠️
from MASTG-TEST-0064:

In order to make sure that biometrics can be used, verify that the kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly or the kSecAttrAccessibleWhenPasscodeSet protection class is set when the SecAccessControlCreateWithFlags method is called.

Not sure if there is any reason to check if biometrics can be used. The keychain API will return an error if biometrics cannot be used anyway.

Note that the ...ThisDeviceOnly variant will make sure that the keychain item is not synchronized with other iOS devices

I think we miss a weakness for it @cpholguera?

Carlos: we have ThisDeviceOnly covered in https://mas.owasp.org/MASWE/MASVS-CRYPTO/MASWE-0018/ so we should be good.

@serek8 serek8 marked this pull request as ready for review April 23, 2025 13:52
@serek8 serek8 requested a review from cpholguera April 23, 2025 13:52
@cpholguera
Copy link
Collaborator

Thanks @serek8, we have ThisDeviceOnly covered in https://mas.owasp.org/MASWE/MASVS-CRYPTO/MASWE-0018/ so we should be good.

Also see http://developer.apple.com/documentation/security/restricting-keychain-item-accessibility

cpholguera
cpholguera requested changes May 12, 2025
View reviewed changes
cpholguera
cpholguera reviewed May 14, 2025
View reviewed changes
cpholguera
cpholguera reviewed May 14, 2025
View reviewed changes
cpholguera
cpholguera requested changes May 14, 2025
View reviewed changes
cpholguera
cpholguera requested changes May 28, 2025
View reviewed changes
cpholguera
cpholguera requested changes May 30, 2025
View reviewed changes
@cpholguera cpholguera merged commit 30acca0 into OWASP:master May 30, 2025
21 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cpholguera cpholguera cpholguera approved these changes

Assignees
No one assigned
Labels
iOS MASTG Refactor MASVS-AUTH
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

MASTG v1->v2 MASTG-TEST-0064: Testing Local Authentication (ios)
2 participants
@serek8 @cpholguera