Acl-changes
Keychain acl allows biometry changes
keychain-acl-allows-biometry-changes
keychain-acl-allows-biometry-changes
The application was observed to store keychain items that leverage biometric protection, but allow for biometry changes. This means that an attacker with knowledge of the victim’s passcode or the ability to guess the passcode - can register their own biometrics, and bypass this keychain authentication mechanism within the app. The application should store keychain entries with
Likelihood: LOW
Confidence: HIGH
CWE:
- C
- W
- E
- -
- 3
- 0
- 5
- :
-
- A
- u
- t
- h
- e
- n
- t
- i
- c
- a
- t
- i
- o
- n
-
- B
- y
- p
- a
- s
- s
-
- b
- y
-
- P
- r
- i
- m
- a
- r
- y
-
- W
- e
- a
- k
- n
- e
- s
- s
biometryCurrentSet rather than biometryAny or userPresence.Likelihood: LOW
Confidence: HIGH
CWE:
- C
- W
- E
- -
- 3
- 0
- 5
- :
-
- A
- u
- t
- h
- e
- n
- t
- i
- c
- a
- t
- i
- o
- n
-
- B
- y
- p
- a
- s
- s
-
- b
- y
-
- P
- r
- i
- m
- a
- r
- y
-
- W
- e
- a
- k
- n
- e
- s
- s