The Local Authentication Framework was observed during testing. Per App Store policy, the Local Authentication Framework must be implemented if the app is using biometrics instead of a third party library for biometrics. If the app does not have biometric features, security best practice stipulates that the Local Authentication Framework library should be removed from the app because it is unnecessary functionality.
Steps to Reproduce
Verify if the application contains biometric login functionality which usually takes place after an app's initial login. Then, verify the frameworks that exist in the app. If the app contains the Local Authentication Framework and does not perform biometric login functions, then an evaluation of why the framework is in use should be conducted to determine if it is necessary.
The NowSecure automated for this vulnerability test statically checks for the LocalAuthentication Framework used in an app but does not validate use of the library at run time.
Business Impact
Applications that use the Local Authentication Framework without biometric authentication may be extending the functionality of the app in a dangerous way. This framework is meant for biometric authentication only.
In addition, the use of this framework can lead to an adversary with physical access to the device to bypass the biometric authentication.
Remediation Resources
Recommended Fix
The Local Authentication Framework should be verified for its necessity. If an app does not use biometric authentication, the Local Authentication Framework should be removed.
All apps that use biometric authentication must use the Local Authentication Framework. It is necessary to pay close attention to its implementation of ACLs to the keychain. For more information on implementation of biometric authentication, see the following resource: https://developer.apple.com/documentation/localauthentication/logging_a_user_into_your_app_with_face_id_or_touch_id?language=objc.
Code Samples
Good Code Example (.swift)
// Create Access Control
let access = SecAccessControlCreateWithFlags(nil,
kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly,
.userPresence,
nil)
// Create Item
let status = SecItemAdd(query as CFDictionary, nil)
guard status == errSecSuccess else { throw KeychainError(status: status) }
let query: [String: Any] = [kSecClass as String: kSecClassInternetPassword,
kSecAttrServer as String: server,
kSecMatchLimit as String: kSecMatchLimitOne,
kSecReturnAttributes as String: true,
kSecUseOperationPrompt as String: "Access your password on the keychain",
kSecReturnData as String: true]
// Keep Duration for Touch ID authentication reuse at default 0
Finding Description
The Local Authentication Framework was observed during testing. Per App Store policy, the Local Authentication Framework must be implemented if the app is using biometrics instead of a third party library for biometrics. If the app does not have biometric features, security best practice stipulates that the Local Authentication Framework library should be removed from the app because it is unnecessary functionality.
Steps to Reproduce
Verify if the application contains biometric login functionality which usually takes place after an app's initial login. Then, verify the frameworks that exist in the app. If the app contains the Local Authentication Framework and does not perform biometric login functions, then an evaluation of why the framework is in use should be conducted to determine if it is necessary. The NowSecure automated for this vulnerability test statically checks for the LocalAuthentication Framework used in an app but does not validate use of the library at run time.
Business Impact
Applications that use the Local Authentication Framework without biometric authentication may be extending the functionality of the app in a dangerous way. This framework is meant for biometric authentication only. In addition, the use of this framework can lead to an adversary with physical access to the device to bypass the biometric authentication.
Remediation Resources
Recommended Fix
The Local Authentication Framework should be verified for its necessity. If an app does not use biometric authentication, the Local Authentication Framework should be removed. All apps that use biometric authentication must use the Local Authentication Framework. It is necessary to pay close attention to its implementation of ACLs to the keychain. For more information on implementation of biometric authentication, see the following resource: https://developer.apple.com/documentation/localauthentication/logging_a_user_into_your_app_with_face_id_or_touch_id?language=objc.
Code Samples
Good Code Example (.swift)
Additional Guidance
Risk and Regulatory Information
Severity: low CVSS: 3.8
Application
See more detail in the NowSecure Report