Movatterモバイル変換

[0]ホーム
URL:

Skip to content

MASTG-DEMO-0042: Runtime Use of LAContext.evaluatePolicy with Frida

Download MASTG-DEMO-0042 IPA Open MASTG-DEMO-0042 Folder Build MASTG-DEMO-0042 IPA

Sample

This demo uses the same sample as Uses of LAContext.evaluatePolicy with r2.

../MASTG-DEMO-0041/MastgTest.swift
 1 2 3 4 5 6 7 8 910111213141516171819202122232425262728293031323334353637383940414243444546474849
importFoundationimportLocalAuthenticationstructMastgTest{staticfuncmastgTest(completion:@escaping(String)->Void){lettoken="8767086b9f6f976g-a8df76"letcontext=LAContext()letreason="Authenticate to access your token"context.evaluatePolicy(.deviceOwnerAuthenticationWithBiometrics,localizedReason:reason){success,errorinDispatchQueue.main.async{ifsuccess{completion("✅ Retrieved token: \(token)")return}//Authenticationfailed:inspecttheerrorcodeletmessage:StringifletlaError=erroras?LAError{switchlaError.code{case.userCancel:message="Authentication was cancelled by the user."case.userFallback:message="User tapped the fallback button (e.g. entered a password)."case.systemCancel:message="Authentication was cancelled by the system (e.g. another app came to foreground)."case.passcodeNotSet:message="Passcode is not set on the device."case.biometryNotAvailable:message="No biometric authentication is available on this device."case.biometryNotEnrolled:message="The user has not enrolled any biometrics."case.biometryLockout:message="Biometry is locked out due to too many failed attempts."default://Foranyfutureorundocumentedcodesmessage=laError.localizedDescription}}else{//SomeothernonLAErrorerrormessage=error?.localizedDescription??"Unknown authentication error."}completion("❌ \(message)")}}}}

Steps

  1. Install the app on a device ( Installing Apps)
  2. Make sure you have Frida for iOS installed on your machine and the frida-server running on the device
  3. Runrun.sh to spawn your app with Frida
  4. Click theStart button
  5. Stop the script by pressingCtrl+C
12
#!/bin/bashfrida-U-forg.owasp.mastestapp.MASTestApp-iOS-l./script.js-l../MASTG-DEMO-0044/script.js-ooutput.txt
 1 2 3 4 5 6 7 8 91011121314151617181920212223242526272829
Interceptor.attach(ObjC.classes.LAContext["- evaluatePolicy:localizedReason:reply:"].implementation,{onEnter(args){constLAPolicy={1:".deviceOwnerAuthenticationWithBiometrics",2:".deviceOwnerAuthentication",3:".deviceOwnerAuthenticationWithWatch",4:".deviceOwnerAuthenticationWithBiometricsOrWatch",5:".deviceOwnerAuthenticationWithWristDetection",};constpolicy=args[2].toInt32();constpolicyDescription=LAPolicy[policy]||"Unknown Policy";console.log(`\nLAContext.canEvaluatePolicy(${args[2]}) called with${policyDescription} (${args[2]})\n`);// Use an arrow function so that `this` remains the same as in onEnterconstprintBacktrace=(maxLines=8)=>{console.log("\nBacktrace:");letbacktrace=Thread.backtrace(this.context,Backtracer.ACCURATE).map(DebugSymbol.fromAddress);for(leti=0;i<Math.min(maxLines,backtrace.length);i++){console.log(backtrace[i]);}}printBacktrace();}});

Observation

output.txt
 1 2 3 4 5 6 7 8 9101112
LAContext.canEvaluatePolicy(0x1)calledwith.deviceOwnerAuthenticationWithBiometrics(0x1)Backtrace:0x10095c35cMASTestApp!specializedstaticMastgTest.mastgTest(completion:)0x10095d4b4MASTestApp!closure#1 in closure #1 in closure #1 in ContentView.body.getter0x19f6cbc54SwiftUI!partialapplyforclosure#1 in closure #2 in ContextMenuBridge.contextMenuInteraction(_:willPerformPreviewActionForMenuWith:animator:)0x19f5d86d0SwiftUI!partialapplyforspecializedthunkfor@callee_guaranteed()->(@outA,@error@ownedError)0x19fca57c4SwiftUI!specializedstaticMainActor.assumeIsolated<A>(_:file:line:)0x19fc721a8SwiftUI!ButtonAction.callAsFunction()0x19f154c2cSwiftUI!partialapplyforimplicitclosure#2 in implicit closure #1 in PlatformItemListButtonStyle.makeBody(configuration:)0x19f6813b4SwiftUI!ButtonBehavior.ended()

The output reveals the use ofLAContext.evaluatePolicy(0x1, ...) in the app. Policy0x1 is.deviceOwnerAuthenticationWithBiometrics.

Evaluation

The test fails because the output only shows calls to biometric verification with LocalAuthentication API and no calls to any Keychain APIs requiring user presence (SecAccessControlCreateWithFlags).

[8]ページ先頭
©2009-2025 Movatter.jp