Biometric authentication should be hardware and keychain backed.

ID

objectivec.auth.ios_biometric_bool

Severity

low

Resource

Auth

Language

Objective-C

Description

Biometric authentication should be hardware and keychain backed. Local authentication returns a boolean that can be bypassed by runtime instrumentation tools like Frida. This is not applicable if authentication data in keychain is protected with a biometric only access control.

Rationale

Biometric authentication should be hardware and keychain backed. Local authentication returns a boolean that can be bypassed by runtime instrumentation tools like Frida. This is not applicable if authentication data in keychain is protected with a biometric only access control.

The following code illustrates a vulnerable pattern detected by this rule:

void badBiometricAuth() {
    // VULNERABLE: Biometric authentication should be hardware and keychain backed.
    LAContext *context = [[LAContext alloc] init];
    NSError *error = nil;

    if ([context canEvaluatePolicy:LAPolicyDeviceOwnerAuthentication error:&error]) {
        [context evaluatePolicy:LAPolicyDeviceOwnerAuthentication
                localizedReason:@"Authenticate to access"
                          reply:^(BOOL success, NSError *error) {
            if (success) {
                // User authenticated - but this boolean can be bypassed!
                [self unlockApp];
            }
        }];
    }
}

Remediation

Follow secure coding practices and review the references below for detailed remediation guidance.

Configuration

This detector does not need any configuration.

References