Weak Biometric ACL Flag
Description
The use of weak biometric ACL flags, such as '.biometryAny', '.userPresence', or '.touchIDAny', can allow an attacker with the ability to add a biometry to the device to authenticate as the user. It is recommended to use more specific and secure authentication mechanisms like '.biometryCurrentSet' and '.touchIDCurrentSet'.
Examples
Insecure Code
swift
SecAccessControlCreateWithFlags(.biometryAny)Secure Code
swift
SecAccessControlCreateWithFlags(.biometryCurrentSet)Remediation
Replace weak biometric ACL flags with more secure alternatives, such as '.biometryCurrentSet' and '.touchIDCurrentSet', to prevent authentication bypass attacks.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0630 |
| Category | Auth |
| Severity | CRITICAL |
| CWE | CWE-305 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | MODERATE |
| Tags | biometric authentication, ACL flags |
| OWASP | A2:2017-Broken Authentication, A07:2021-Identification and Authentication Failures |