Skip to content

Port MASTG-TEST-0018 (Testing Biometric Authentication) to MASTG v2 #3560

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Copilot wants to merge 15 commits into
base: master
Choose a base branch
from
Open

Port MASTG-TEST-0018 (Testing Biometric Authentication) to MASTG v2 #3560

Copilot wants to merge 15 commits into from
+1,189 −2

Conversation

Copy link
Contributor

Copilot AI commented Dec 2, 2025
edited
Loading

This PR closes #2952

Description

Ports the Android biometric authentication test (MASTG-TEST-0018) to v2 format, covering four MASWE weaknesses. Includes demos using BiometricPrompt API that highlight security considerations for biometric authentication.

New Tests (tests-beta/android/MASVS-AUTH/)

  • MASTG-TEST-0313 (MASWE-0045): Detects BiometricPrompt configurations allowing fallback to device credentials via DEVICE_CREDENTIAL or setDeviceCredentialAllowed(true)
  • MASTG-TEST-0314 (MASWE-0044): Detects event-bound biometric auth where authenticate() is called without CryptoObject
  • MASTG-TEST-0315 (MASWE-0046): Detects keys not invalidated on biometric enrollment via setInvalidatedByBiometricEnrollment(false)
  • MASTG-TEST-0316 (MASWE-0044): Detects authentication without explicit user action via setConfirmationRequired(false)

New Demos

MASTG-DEMO-0076 - Demonstrates secure vs insecure BiometricPrompt configurations for device credential fallback:

// FAIL: Allows fallback to PIN/pattern/password
biometricManager.canAuthenticate(
    BiometricManager.Authenticators.BIOMETRIC_STRONG or BiometricManager.Authenticators.DEVICE_CREDENTIAL
)

// PASS: Requires biometric only
biometricManager.canAuthenticate(BiometricManager.Authenticators.BIOMETRIC_STRONG)

MASTG-DEMO-0077 - Demonstrates secure vs insecure configurations for explicit user confirmation:

// FAIL: Allows implicit authentication for sensitive operations
.setConfirmationRequired(false)

// PASS: Requires explicit user confirmation
.setConfirmationRequired(true)

New Semgrep Rules

  • mastg-android-biometric-device-credential-fallback.yml: Flags setAllowedAuthenticators with DEVICE_CREDENTIAL
  • mastg-android-biometric-no-confirmation-required.yml: Flags setConfirmationRequired(false)

Deprecation

  • Added deprecation metadata to v1 test MASTG-TEST-0018 pointing to new v2 tests

[x] I have read the contributing guidelines.

Original prompt

This section details on the original issue you should resolve

<issue_title>MASTG v1->v2 MASTG-TEST-0018: Testing Biometric Authentication (android)</issue_title>
<issue_description>
Create a new MASTG v2 test covering for":

Follow the guidelines

IMPORTANT NOTE

This v1 test doesn't contain a lot of detail. See https://mas.owasp.org/MASTG/0x05f-Testing-Local-Authentication/ for more context when porting it.

Also see:

Relevant weaknesses

  • MASWE-0046 Crypto Keys Not Invalidated on New Biometric Enrollment
  • MASWE-0045 Fallback to Non-biometric Credentials Allowed for Sensitive Transactions
  • MASWE-0044 Biometric Authentication is Event-bound

</issue_description>

Comments on the Issue (you are @copilot in this section)

@cpholguera See https://github.com//pull/3113#discussion_r1945165762

https://developer.android.com/identity/sign-in/biometric-auth#declare-supported-authentication-types

To begin using an authenticator, the user needs to create a PIN, pattern, or password. If the user doesn't already have one, the biometric enrollment flow prompts them to create one.

Include a new DEMO for the test created in #3113 using the biometrics API which forces to have a password.</comment_new>

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

Copilot AI changed the title [WIP] Add MASTG v2 test for biometric authentication Port MASTG-TEST-0018 (Testing Biometric Authentication) to MASTG v2 Dec 2, 2025
Copilot AI requested a review from cpholguera December 2, 2025 17:26
@sushi2k sushi2k self-requested a review December 5, 2025 09:41
Copilot AI mentioned this pull request Dec 5, 2025
Draft
@cpholguera cpholguera marked this pull request as ready for review December 5, 2025 11:47
@sushi2k
Copy link
Collaborator

sushi2k commented Dec 29, 2025
edited
Loading

@copilot Can you add another test with ID MASTG-TEST-0316 with "title: References to APIs Enforcing Authentication without Explicit User Action"? According to the documentation: https://developer.android.com/identity/sign-in/biometric-auth#no-explicit-user-action

@cpholguera
Copy link
Collaborator

cpholguera commented Dec 29, 2025

@copilot add another test with ID MASTG-TEST-0316 with "title: References to APIs Enforcing Authentication without Explicit User Action", according to the documentation: https://developer.android.com/identity/sign-in/biometric-auth#no-explicit-user-action

Copy link
Contributor Author

Copilot AI commented Dec 29, 2025
edited
Loading

@copilot Can you add another test with ID MASTG-TEST-0316 with "title: References to APIs Enforcing Authentication without Explicit User Action"? According to the documentation: https://developer.andr...

Added MASTG-TEST-0316 "References to APIs Enforcing Authentication without Explicit User Action" with demo MASTG-DEMO-0077 and corresponding semgrep rule. The test checks for use of setConfirmationRequired(false) which allows implicit authentication without explicit user interaction. Commit: 3e336e2

@copilot add another test with ID MASTG-TEST-0316 with "title: References to APIs Enforcing Authentication without Explicit User Action", according to the documentation: https://developer.android.com/...

Added MASTG-TEST-0316 "References to APIs Enforcing Authentication without Explicit User Action" with demo MASTG-DEMO-0077 and corresponding semgrep rule. The test checks for use of setConfirmationRequired(false) which allows implicit authentication without explicit user interaction. Commit: 3e336e2

@bernhste
Copy link
Collaborator

bernhste commented Jan 13, 2026

@sushi2k This is the similar test from the MAS Reference App: https://github.com/Redguard/mas-reference-app/blob/main/android/app/src/main/java/org/masreferenceapp/auth/AuthBiometricPrompt.java

It contains 3 tests:

  1. simplePrompt: Opens a prompt which requires biometric authentication. This method of authentication can usually be bypassed easily.
  2. devicePinOnlyPrompt: Opens a prompt which requires device credentials. This method of authentication is considered weak and can usually be bypassed easily.
  3. cryptoOperationPrompt: Opens a prompt which provides access to a CryptoObject.

This should be pretty much the same tests, right? The LLM-Version uses val executor: Executor = ContextCompat.getMainExecutor(context). Maybe that is the reason why we need a new FragmentActivity?

What if we use Executor mExecutor = Executors.newSingleThreadExecutor(); like used in the MAS Reference App?

github-actions[bot]
github-actions bot reviewed Jan 18, 2026
View reviewed changes
demos/android/MASVS-AUTH/MASTG-DEMO-0082/MASTG-DEMO-0082.md
@@ -0,0 +1,39 @@
---
Copy link

@github-actions github-actions bot Jan 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Duplicate MASTG-DEMO ID Detected

This file has the ID MASTG-DEMO-0082 which already exists in demos/android/MASVS-PLATFORM/MASTG-DEMO-0082/MASTG-DEMO-0082.md.

IMPORTANT: Please use the next available ID: MASTG-DEMO-0083

github-actions[bot]
github-actions bot reviewed Jan 18, 2026
View reviewed changes
tests-beta/android/MASVS-AUTH/MASTG-TEST-0320.md
@@ -0,0 +1,38 @@
# Add KNOWLEDGE in Meta-data!!!
Copy link

@github-actions github-actions bot Jan 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Duplicate MASTG-TEST ID Detected

This file has the ID MASTG-TEST-0320 which already exists in tests-beta/android/MASVS-PLATFORM/MASTG-TEST-0320.md.

IMPORTANT: Please use the next available ID: MASTG-TEST-0321

@sushi2k
Copy link
Collaborator

sushi2k commented Jan 18, 2026

@sushi2k This is the similar test from the MAS Reference App: https://github.com/Redguard/mas-reference-app/blob/main/android/app/src/main/java/org/masreferenceapp/auth/AuthBiometricPrompt.java

It contains 3 tests:

  1. simplePrompt: Opens a prompt which requires biometric authentication. This method of authentication can usually be bypassed easily.
  2. devicePinOnlyPrompt: Opens a prompt which requires device credentials. This method of authentication is considered weak and can usually be bypassed easily.
  3. cryptoOperationPrompt: Opens a prompt which provides access to a CryptoObject.

This should be pretty much the same tests, right? The LLM-Version uses val executor: Executor = ContextCompat.getMainExecutor(context). Maybe that is the reason why we need a new FragmentActivity?

What if we use Executor mExecutor = Executors.newSingleThreadExecutor(); like used in the MAS Reference App?

Thanks @bernhste! I'll look into it, and then can maybe simply use your demo instead.

To-Do:

  • Fixing. the demo-IDs (will do once ready to merge)
  • add knowledge meta-data

@sushi2k
Copy link
Collaborator

sushi2k commented Jan 25, 2026

@bernhste now I understand the difference. In this app I am using androidx.biometric.BiometricPrompt in your app it's android.hardware.biometrics.BiometricPrompt.

Claude was using the androidx library as it's the recommend library from the Android docs for biometrics and this lib needs the FragmentActivity. I couldn't really find a big difference between the two of them as I could implement the same functionality with android.hardware.biometrics.BiometricPrompt, so I will use this lib then I don't need to change the MainActivity.kt. With the androidx lib you have better compatibility with older Android versions, but we are anyway expecting more recent (API Level > 28) versions.

To-Do:

  • refactor the code with Claude and using android.hardware.biometrics.BiometricPrompt instead
  • check if method names are different and update semgrep rules accordingly
  • add knowledge meta-data
  • Fixing the demo-IDs (will do once ready to merge)

cpholguera
cpholguera reviewed Jan 25, 2026
View reviewed changes
tests-beta/android/MASVS-AUTH/MASTG-TEST-0321.md
Copy link
Collaborator

@cpholguera cpholguera Jan 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@sushi2k Can it be that these tests also deprecate

https://mas.owasp.org/MASTG/tests/android/MASVS-AUTH/MASTG-TEST-0017/

And close #2951 ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cpholguera cpholguera cpholguera left review comments

@github-actions github-actions[bot] github-actions[bot] left review comments

@sushi2k sushi2k Awaiting requested review from sushi2k

At least 1 approving review is required to merge this pull request.

Assignees

@cpholguera cpholguera

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

MASTG v1->v2 MASTG-TEST-0018: Testing Biometric Authentication (android)

4 participants

@sushi2k @cpholguera @bernhste