Any change to the biometrics of the device (add, new, delete, etc.) should automatically trigger the application to disallow biometrics authentication until the correct password has been entered by the user.

While not directly affecting the app being tested, test that the device requires the user to enter the device passcode/password to access the biometrics section in the Settings app.

Using an image of the user that has enrolled in biometrics authentication, present the image to the device sensors to attempt a fraudulent authentication.

• Use a high-resolution image first, then reduce the resolution in further tests if it succeeds
• If possible, convert the image to Infrared using software and attempt authentication
• When presenting the image to the sensors, ensure that image borders are not included
• Attempt authentication using different angles of the image (think of how you would hold the device to authenticate)
• If the image is on another device, such as a phone, table, or monitor, ensure that the screen bezels are not visible when attempting authentication
• Smudge or dirty the lens of the sensor’s slightly
• Partially cover or smudge the IR projector
• Attempt authentication while using the device in both portrait and landscape modes
• Test authentication with a “screen protector” on the device

Using a video of the user that has enrolled in biometrics authentication, present the video to the device sensors to attempt a fraudulent authentication.

• Most videos are high resolution, but attempt lower resolution video’s as well
• When presenting the video to the sensors, ensure that device presenting the video does not show the screen bezels when attempting to authenticate
• Attempt authentication using different angles of the video if possible (think of how you would hold the device to authenticate)
• Smudge or dirty the lens of the sensor’s slightly
• Partially cover or smudge the IR projector
• Attempt authentication while using the device in both portrait and landscape modes
• Test authentication with a “screen protector” on the device

When possible, attempt biometrics authentication by presenting a sibling, or child to the device sensors.

• Smudge or dirty the lens of the sensor’s slightly
• Partially cover or smudge the IR projector
• Attempt authentication while using the device in both portrait and landscape modes
• Test authentication with a “screen protector” on the device

Liveness detection is to detect spoof attempts by determining if the source of the biometric authentication is a live human or being faked with an image, video, or other sources.

Liveness detection typically requires you to have your eyes open and looking at the device when testing. Determine the device specific detection when testing this.

Need to add process...

Ensure the application requires the correct password to be entered before enabling biometrics authentication.

Evaluate how the application handles failed biometrics authentication attempts. The app, as well as the device, should disable biometrics authentication following 3-5 failed attempts, and fall back to require the password to login.

Typically, the device will need to be “screen locked”, which will then prompt for the device passcode to re-enable device-wide biometric authentication.

Ensure that the device does not rely on biometrics as the sole authentication technique.

A successful biometrics match should obtain a password from the keychain, or preferable have a server-side mechanism to validate the user.

Additionally, the application should prompt the user for their credentials after a pre-determined period of time. For instance, the device itself requires the user to input the screen passcode every 6 days to ensure the user is properly authenticated. The application should implement similar methods.

Attempt to extract the application Keychain entries for the application. Evaluate if the application requires you to authenticate to access items in the Keychain. If an item has been further protected with an application specific password, you will be prompted to use biometrics or the password to be able to access those items.

NOTE:This will require a rooted device, or a rooted application. A rooted application is defined as having some form of debugging or dynamic instrumentation library injected into the app.

There are several parameters that should be set to assist in securing the Keystore. Some of these are directly related to biometrics, and others are simply best practices. These parameters should be reviewed to ensure they meet the proper baseline security.

Evaluate the “accessible_attribute” for the applications’s Keychain entries.

• kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly – The entry cannot be accessed after a restart until the device has been unlocked. This attribute will not migrate to a new device.
• kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly - The entry can only be accessed when the device is unlocked, and a passcode is set on the device. This attribute will not migrate to a new device.

NOTE:This will require a rooted device, or a rooted application. A rooted application is defined as having some form of debugging or dynamic instrumentation library injected into the app.

Using the Frida dynamic instrumentation framework, attach to the running process and trace the biometric functions of the app. Once determined, hook the function and manipulate the response to force a positive result, while using incorrect biometrics input.

For iOS, use the Objection script to bypass biometrics.

ios ui biometric_bypass

NOTE:This will require a rooted device, or a rooted application. A rooted application is defined as having some form of debugging or dynamic instrumentation library injected into the app.

Using a local proxy, evaluate the HTTP communications for both a password-based login and a login using biometrics.

NOTE:This will require a rooted device, or a rooted application. A rooted application is defined as having some form of debugging or dynamic instrumentation library injected into the app.

While the established session should not be dependent on the mode of authentication, check the application to determine that the session between password and biometrics authentication are identical.

At a minimum, examine the following session parameters:

• Session Fixation
• Insecure Transport
• Missing Sign-off Button
• Session ID in URL
• Authentication Brute-Force
• Insufficient Session Timeout
• Session Timeout Doesn't Redirect
• Sign-off Doesn't Redirect

NOTE:This will require a rooted device, or a rooted application. A rooted application is defined as having some form of debugging or dynamic instrumentation library injected into the app.

Password changes in the application should force the re-enrollment of biometrics or some form of password-based authentication to re-enable biometrics for the app. The use of biometrics effectively unlocks the keystore to obtain the user credentials.

Evaluate the following parameters:

• The app requires the current password for any change to username or password
• The user is notified by email of a password change

NOTE:This will require a rooted device, or a rooted application. A rooted application is defined as having some form of debugging or dynamic instrumentation library injected into the app.