Merge pull request #1190 from HackTricks-wiki/research_update_src_mobile-pentesting_android-app-pentesting_bypass-biometric-authentication-android_20250726_012858

Research Update Enhanced src/mobile-pentesting/android-app-p...
2025-10-10 18:36:50 +00:00 · 2025-07-28 12:01:57 +02:00 · 2025-07-28 12:01:57 +02:00 · 19a33fbce4
commit 19a33fbce4
parent 095c65072e e3daecf92e
1 changed files with 52 additions and 5 deletions
--- a/src/mobile-pentesting/android-app-pentesting/bypass-biometric-authentication-android.md
+++ b/src/mobile-pentesting/android-app-pentesting/bypass-biometric-authentication-android.md
@ -32,7 +32,7 @@ Command to run the Frida script:
 frida -U -f com.generic.insecurebankingfingerprint --no-pause -l fingerprint-bypass-via-exception-handling.js
 ```
-Upon reaching the fingerprint screen and the initiation of `authenticate()`, type `bypass()`` in the Frida console to activate the bypass:
+Upon reaching the fingerprint screen and the initiation of `authenticate()`, type `bypass()` in the Frida console to activate the bypass:
 ```
 Spawning com.generic.insecurebankingfingerprint...
@ -70,12 +70,59 @@ There are specialized tools and scripts designed to test and bypass authenticati
 1. **MAGISK Modules**: MAGISK is a tool for Android that allows users to root their devices and add modules that can modify or spoof hardware-level information, including fingerprints.
 2. **Custom-built Scripts**: Scripts can be written to interact with the Android Debug Bridge (ADB) or directly with the application's backend to simulate or bypass fingerprint authentication.
 ---
 ## **Method 6 – Universal Frida Hook for `BiometricPrompt` (API 28-34)**
 In 2023 a community Frida script branded **Universal-Android-Biometric-Bypass** appeared on CodeShare. The script hooks every overload of `BiometricPrompt.authenticate()` as well as legacy `FingerprintManager.authenticate()` and directly triggers `onAuthenticationSucceeded()` with a **fabricated `AuthenticationResult` containing a null `CryptoObject`**. Because it adapts dynamically to API levels, it still works on Android 14 (API 34) if the target app performs **no cryptographic checks on the returned `CryptoObject`**.
 ```bash
 # Install the script from CodeShare and run it against the target package
 frida -U -f com.target.app --no-pause -l universal-android-biometric-bypass.js
 ```
 Key ideas
 * Everything happens in user space – no kernel exploit or root is required.
 * The attack remains fully silent to the UI: the system biometric dialog never appears.
 * Mitigation: **always verify `result.cryptoObject` and its cipher/signature before unlocking sensitive features**.
 ## **Method 7 – Downgrade / Fallback Manipulation**
 Starting with Android 11, developers can specify which authenticators are acceptable via `setAllowedAuthenticators()` (or the older `setDeviceCredentialAllowed()`). A **runtime hooking** attack can force the `allowedAuthenticators` bit-field to the weaker
 `BIOMETRIC_WEAK | DEVICE_CREDENTIAL` value:
 ```javascript
 // Frida one-liner – replace strong-only policy with weak/device-credential
 var PromptInfoBuilder = Java.use('androidx.biometric.BiometricPrompt$PromptInfo$Builder');
 PromptInfoBuilder.setAllowedAuthenticators.implementation = function(flags){
    return this.setAllowedAuthenticators(0x0002 | 0x8000); // BIOMETRIC_WEAK | DEVICE_CREDENTIAL
 };
 ```
 If the app does **not** subsequently validate the returned `AuthenticationResult`, an attacker can simply press the _PIN/Pattern_ fallback button or even register a new weak biometric to gain access.
 ## **Method 8 – Vendor / Kernel-level CVEs**
 Keep an eye on Android security bulletins: several recent kernel-side bugs allow local privilege escalation through the fingerprint HAL and effectively **disable or short-circuit the sensor pipeline**. Examples include:
 * **CVE-2023-20995** – logic error in `captureImage` of `CustomizedSensor.cpp` (Pixel 8, Android 13) allowing unlock bypass without user interaction.
 * **CVE-2024-53835 / CVE-2024-53840** – “possible biometric bypass due to an unusual root cause” patched in the **December 2024 Pixel bulletin**.
 Although these vulnerabilities target the lock-screen, a rooted tester may chain them with app-level flaws to bypass in-app biometrics as well.
 ---
 ### Hardening Checklist for Developers (Quick Pentester Notes)
 * Enforce `setUserAuthenticationRequired(true)` and `setInvalidatedByBiometricEnrollment(true)` when generating **Keystore** keys. A valid biometric is then required before the key can be used.
 * Reject a `CryptoObject` with **null or unexpected cipher / signature**; treat this as a fatal authentication error.
 * When using `BiometricPrompt`, prefer `BIOMETRIC_STRONG` and **never fall back to `BIOMETRIC_WEAK` or `DEVICE_CREDENTIAL`** for high-risk actions.
 * Pin the latest `androidx.biometric` version (≥1.2.0-beta02) – recent releases add automatic null-cipher checks and tighten allowed authenticator combinations.
 ## References
- [https://securitycafe.ro/2022/09/05/mobile-pentesting-101-bypassing-biometric-authentication/](https://securitycafe.ro/2022/09/05/mobile-pentesting-101-bypassing-biometric-authentication/)
+- [Universal Android Biometric Bypass – Frida CodeShare](https://codeshare.frida.re/@ax/universal-android-biometric-bypass/)
 - [Android Pixel Security Bulletin 2024-12-01](https://source.android.com/security/bulletin/pixel/2024-12-01)
 {{#include ../../banners/hacktricks-training.md}}