CodeAnt AI home pagelight logodark logo
  • Dashboard
  • Dashboard
  • Documentation
  • Demo Call with CEO
  • Blog
  • Slack
  • Get Started
    • CodeAnt AI
    • Setup
    • Control Center
    • Pull Request Review
    • IDE
    • Compliance
    • Anti-Patterns
    • Code Governance
    • Infrastructure Security Database
    • Application Security Database
      • Apex
      • Bash
      • C
      • Clojure
      • Cpp
      • Csharp
      • Dockerfile
      • Elixir
      • Fingerprints
      • Generic
      • Go
      • Html
      • Java
      • Javascript
      • Json
      • Kotlin
      • Ocaml
      • Php
      • Problem-based-packs
      • Python
      • Ruby
      • Rust
      • Scala
      • Solidity
      • Swift
        • Biometrics-and-auth
          • Acl-changes
            • Keychain acl allows biometry changes
          • Keychain-always-accessible
          • Keychain-sync
          • Local-biometrics
          • Missing-user-auth
          • No-verify
          • Pass-fallback
        • Commoncrypto
        • Cryptoswift
        • Insecure-communication
        • Lang
        • Pathtraversal
        • Sql
        • Sqllite
        • Webview
        • Webview
      • Terraform
      • Typescript
      • Yaml
    Acl-changes

    Keychain acl allows biometry changes

    The application was observed to store keychain items that leverage biometric protection, but allow for biometry changes. This means that an attacker with knowledge of the victim’s passcode or the ability to guess the passcode - can register their own biometrics, and bypass this keychain authentication mechanism within the app. The application should store keychain entries with biometryCurrentSet rather than biometryAny or userPresence.
    Likelihood: LOW
    Confidence: HIGH
    CWE:
    - C
    - W
    - E
    - -
    - 3
    - 0
    - 5
    - :
    -

    - A
    - u
    - t
    - h
    - e
    - n
    - t
    - i
    - c
    - a
    - t
    - i
    - o
    - n
    -

    - B
    - y
    - p
    - a
    - s
    - s
    -

    - b
    - y
    -

    - P
    - r
    - i
    - m
    - a
    - r
    - y
    -

    - W
    - e
    - a
    - k
    - n
    - e
    - s
    - s

    SecurityKeychain accessible always
    twitterlinkedin
    Powered by Mintlify
    Assistant
    Responses are generated using AI and may contain mistakes.