Port MASTG-TEST-0018 (Testing Biometric Authentication) to MASTG v2

[Copilot]

This PR closes #2952

Description

Ports the Android biometric authentication test (MASTG-TEST-0018) to v2 format, covering four MASWE weaknesses. Includes demos using BiometricPrompt API that highlight security considerations for biometric authentication.

New Tests (tests-beta/android/MASVS-AUTH/)

• MASTG-TEST-0313 (MASWE-0045): Detects BiometricPrompt configurations allowing fallback to device credentials via DEVICE_CREDENTIAL or setDeviceCredentialAllowed(true)
• MASTG-TEST-0314 (MASWE-0044): Detects event-bound biometric auth where authenticate() is called without CryptoObject
• MASTG-TEST-0315 (MASWE-0046): Detects keys not invalidated on biometric enrollment via setInvalidatedByBiometricEnrollment(false)
• MASTG-TEST-0316 (MASWE-0044): Detects authentication without explicit user action via setConfirmationRequired(false)

New Demos

MASTG-DEMO-0076 - Demonstrates secure vs insecure BiometricPrompt configurations for device credential fallback:

// FAIL: Allows fallback to PIN/pattern/password
biometricManager.canAuthenticate(
    BiometricManager.Authenticators.BIOMETRIC_STRONG or BiometricManager.Authenticators.DEVICE_CREDENTIAL
)

// PASS: Requires biometric only
biometricManager.canAuthenticate(BiometricManager.Authenticators.BIOMETRIC_STRONG)

MASTG-DEMO-0077 - Demonstrates secure vs insecure configurations for explicit user confirmation:

// FAIL: Allows implicit authentication for sensitive operations
.setConfirmationRequired(false)

// PASS: Requires explicit user confirmation
.setConfirmationRequired(true)

New Semgrep Rules

• mastg-android-biometric-device-credential-fallback.yml: Flags setAllowedAuthenticators with DEVICE_CREDENTIAL
• mastg-android-biometric-no-confirmation-required.yml: Flags setConfirmationRequired(false)

Deprecation

• Added deprecation metadata to v1 test MASTG-TEST-0018 pointing to new v2 tests

---

[x] I have read the contributing guidelines.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>MASTG v1->v2 MASTG-TEST-0018: Testing Biometric Authentication (android)</issue_title>
<issue_description>
Create a new MASTG v2 test covering for":

• Title: Testing Biometric Authentication
• ID: MASTG-TEST-0018
• Link: https://mas.owasp.org/MASTG/tests/android/MASVS-AUTH/MASTG-TEST-0018/
• Platform: android
• MASVS v1: ['MSTG-AUTH-8']
• MASVS v2: ['MASVS-AUTH-2']

Follow the guidelines

IMPORTANT NOTE

This v1 test doesn't contain a lot of detail. See https://mas.owasp.org/MASTG/0x05f-Testing-Local-Authentication/ for more context when porting it.

Also see:

• https://developer.android.com/identity/sign-in/biometric-auth#allow-fallback
• https://developer.android.com/reference/android/app/KeyguardManager#createConfirmDeviceCredentialIntent(java.lang.CharSequence,%20java.lang.CharSequence)
• https://developer.android.com/reference/kotlin/androidx/biometric/package-summary

Relevant weaknesses

• MASWE-0046 Crypto Keys Not Invalidated on New Biometric Enrollment
• MASWE-0045 Fallback to Non-biometric Credentials Allowed for Sensitive Transactions
• MASWE-0044 Biometric Authentication is Event-bound

</issue_description>

Comments on the Issue (you are @copilot in this section)

@cpholguera See https://github.com//pull/3113#discussion_r1945165762

https://developer.android.com/identity/sign-in/biometric-auth#declare-supported-authentication-types

To begin using an authenticator, the user needs to create a PIN, pattern, or password. If the user doesn't already have one, the biometric enrollment flow prompts them to create one.

Include a new DEMO for the test created in #3113 using the biometrics API which forces to have a password.</comment_new>

• Fixes MASTG v1->v2 MASTG-TEST-0018: Testing Biometric Authentication (android) #2952

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[sushi2k]

@copilot Can you add another test with ID MASTG-TEST-0316 with "title: References to APIs Enforcing Authentication without Explicit User Action"? According to the documentation: https://developer.android.com/identity/sign-in/biometric-auth#no-explicit-user-action

[cpholguera]

@copilot add another test with ID MASTG-TEST-0316 with "title: References to APIs Enforcing Authentication without Explicit User Action", according to the documentation: https://developer.android.com/identity/sign-in/biometric-auth#no-explicit-user-action

[Copilot]

@copilot Can you add another test with ID MASTG-TEST-0316 with "title: References to APIs Enforcing Authentication without Explicit User Action"? According to the documentation: https://developer.andr...

Added MASTG-TEST-0316 "References to APIs Enforcing Authentication without Explicit User Action" with demo MASTG-DEMO-0077 and corresponding semgrep rule. The test checks for use of setConfirmationRequired(false) which allows implicit authentication without explicit user interaction. Commit: 3e336e2

@copilot add another test with ID MASTG-TEST-0316 with "title: References to APIs Enforcing Authentication without Explicit User Action", according to the documentation: https://developer.android.com/...

Added MASTG-TEST-0316 "References to APIs Enforcing Authentication without Explicit User Action" with demo MASTG-DEMO-0077 and corresponding semgrep rule. The test checks for use of setConfirmationRequired(false) which allows implicit authentication without explicit user interaction. Commit: 3e336e2