The Local Authentication library was found included in your application binary.
At worst, it is being used for biometric authentication that is easily bypassed by someone with access to the device.
At best, it is extraneous functionality that should not be included in the app as a best practice.
Steps to Reproduce
This check statically checks for the LocalAuthentication framework being included in an app, but does not validate use of the library at run time.
Business Impact
This app contains a library for Touch/FaceID that can be easily bypassed.
It may just be extraneous, or it could lead to an attacker bypassing the login for an application if they have access to the device.
Remediation Resources
Consider using Keychain ACLs (Access Control Lists) to achieve similar functionality.
An example implementation would store the application's secret in a Keychain and assign an ACL to this Keychain item that would instruct iOS to perform a user presence check before reading and returning the Keychain item to the application.
Sample code can be found on Apple's website.
Finding Description
The Local Authentication library was found included in your application binary. At worst, it is being used for biometric authentication that is easily bypassed by someone with access to the device. At best, it is extraneous functionality that should not be included in the app as a best practice.
Steps to Reproduce
This check statically checks for the LocalAuthentication framework being included in an app, but does not validate use of the library at run time.
Business Impact
This app contains a library for Touch/FaceID that can be easily bypassed. It may just be extraneous, or it could lead to an attacker bypassing the login for an application if they have access to the device.
Remediation Resources
Consider using Keychain ACLs (Access Control Lists) to achieve similar functionality.
An example implementation would store the application's secret in a Keychain and assign an ACL to this Keychain item that would instruct iOS to perform a user presence check before reading and returning the Keychain item to the application. Sample code can be found on Apple's website.
Risk and Regulatory Information
Severity: low CVSS: 3.8
Application
See more detail in the NowSecure Report