Port MASTG-TEST-0018 (Testing Biometric Authentication) to MASTG v2

[Copilot]

This PR closes #2952

Description

Ports the Android biometric authentication test (MASTG-TEST-0018) to v2 format, covering three MASWE weaknesses as requested in the issue comments. Includes a demo using BiometricPrompt API that highlights the requirement for users to have a password set.

New Tests (tests-beta/android/MASVS-AUTH/)

• MASTG-TEST-0313 (MASWE-0045): Detects BiometricPrompt configurations allowing fallback to device credentials via DEVICE_CREDENTIAL or setDeviceCredentialAllowed(true)
• MASTG-TEST-0314 (MASWE-0044): Detects event-bound biometric auth where authenticate() is called without CryptoObject
• MASTG-TEST-0315 (MASWE-0046): Detects keys not invalidated on biometric enrollment via setInvalidatedByBiometricEnrollment(false)

New Demo (MASTG-DEMO-0076)

Demonstrates secure vs insecure BiometricPrompt configurations:

// FAIL: Allows fallback to PIN/pattern/password biometricManager.canAuthenticate( BiometricManager.Authenticators.BIOMETRIC_STRONG or BiometricManager.Authenticators.DEVICE_CREDENTIAL ) // PASS: Requires biometric only biometricManager.canAuthenticate(BiometricManager.Authenticators.BIOMETRIC_STRONG)

New Semgrep Rule

• mastg-android-biometric-device-credential-fallback.yml: Flags setAllowedAuthenticators with DEVICE_CREDENTIAL

Deprecation

• Added deprecation metadata to v1 test MASTG-TEST-0018 pointing to new v2 tests

---

[x] I have read the contributing guidelines.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>MASTG v1->v2 MASTG-TEST-0018: Testing Biometric Authentication (android)</issue_title>
<issue_description>
Create a new MASTG v2 test covering for":

• Title: Testing Biometric Authentication
• ID: MASTG-TEST-0018
• Link: https://mas.owasp.org/MASTG/tests/android/MASVS-AUTH/MASTG-TEST-0018/
• Platform: android
• MASVS v1: ['MSTG-AUTH-8']
• MASVS v2: ['MASVS-AUTH-2']

Follow the guidelines

IMPORTANT NOTE

This v1 test doesn't contain a lot of detail. See https://mas.owasp.org/MASTG/0x05f-Testing-Local-Authentication/ for more context when porting it.

Also see:

• https://developer.android.com/identity/sign-in/biometric-auth#allow-fallback
• https://developer.android.com/reference/android/app/KeyguardManager#createConfirmDeviceCredentialIntent(java.lang.CharSequence,%20java.lang.CharSequence)
• https://developer.android.com/reference/kotlin/androidx/biometric/package-summary

Relevant weaknesses

• MASWE-0046 Crypto Keys Not Invalidated on New Biometric Enrollment
• MASWE-0045 Fallback to Non-biometric Credentials Allowed for Sensitive Transactions
• MASWE-0044 Biometric Authentication is Event-bound

</issue_description>

Comments on the Issue (you are @copilot in this section)

@cpholguera See https://github.com//pull/3113#discussion_r1945165762

https://developer.android.com/identity/sign-in/biometric-auth#declare-supported-authentication-types

To begin using an authenticator, the user needs to create a PIN, pattern, or password. If the user doesn't already have one, the biometric enrollment flow prompts them to create one.

Include a new DEMO for the test created in #3113 using the biometrics API which forces to have a password.</comment_new>

• Fixes MASTG v1->v2 MASTG-TEST-0018: Testing Biometric Authentication (android) #2952

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.