mirror of
https://github.com/HackTricks-wiki/hacktricks.git
synced 2025-10-10 18:36:50 +00:00
Translated ['src/mobile-pentesting/android-app-pentesting/bypass-biometr
This commit is contained in:
Translator
parent
18156b8e6c
commit
3ff2ee443b
@ -4,7 +4,7 @@
|
||||
|
||||
## **Method 1 – Bypassing with No Crypto Object Usage**
|
||||
|
||||
Mwelekeo hapa ni kwenye _onAuthenticationSucceeded_ callback, ambayo ni muhimu katika mchakato wa uthibitishaji. Watafiti katika WithSecure walitengeneza [Frida script](https://github.com/WithSecureLABS/android-keystore-audit/blob/master/frida-scripts/fingerprint-bypass.js), inayowezesha kupita _CryptoObject_ ya NULL katika _onAuthenticationSucceeded(...)_. Script inasababisha kupita kiotomatiki kwa uthibitishaji wa alama za vidole wakati wa wito wa njia hiyo. Hapa chini kuna kipande kilichorahisishwa kinachoonyesha kupita katika muktadha wa Alama za Vidole za Android, huku programu kamili ikipatikana kwenye [GitHub](https://github.com/St3v3nsS/InsecureBanking).
|
||||
Kipaumbele hapa ni kwenye _onAuthenticationSucceeded_ callback, ambayo ni muhimu katika mchakato wa uthibitishaji. Watafiti kutoka WithSecure walitengeneza [Frida script](https://github.com/WithSecureLABS/android-keystore-audit/blob/master/frida-scripts/fingerprint-bypass.js), inayowezesha kupita _CryptoObject_ ya NULL katika _onAuthenticationSucceeded(...)_. Script hiyo inalazimisha kupita kiotomatiki kwa uthibitishaji wa alama za vidole wakati wa wito wa njia hiyo. Hapa chini kuna kipande kilichorahisishwa kinachoonyesha kupita katika muktadha wa Alama za Vidole za Android, huku programu kamili ikipatikana kwenye [GitHub](https://github.com/St3v3nsS/InsecureBanking).
|
||||
```javascript
|
||||
biometricPrompt = new BiometricPrompt(this, executor, new BiometricPrompt.AuthenticationCallback() {
|
||||
@Override
|
||||
@ -21,7 +21,7 @@ frida -U -f com.generic.insecurebankingfingerprint --no-pause -l fingerprint-byp
|
||||
|
||||
Another [Frida script](https://github.com/WithSecureLABS/android-keystore-audit/blob/master/frida-scripts/fingerprint-bypass-via-exception-handling.js) by WithSecure addresses bypassing insecure crypto object usage. The script invokes _onAuthenticationSucceeded_ with a _CryptoObject_ that hasn't been authorized by a fingerprint. If the application tries to use a different cipher object, it will trigger an exception. The script prepares to invoke _onAuthenticationSucceeded_ and handle the _javax.crypto.IllegalBlockSizeException_ in the _Cipher_ class, ensuring subsequent objects used by the application are encrypted with the new key.
|
||||
|
||||
Command to run the Frida script:
|
||||
Amri ya kuendesha script ya Frida:
|
||||
```bash
|
||||
frida -U -f com.generic.insecurebankingfingerprint --no-pause -l fingerprint-bypass-via-exception-handling.js
|
||||
```
|
||||
@ -35,33 +35,78 @@ Hooking FingerprintManager.authenticate()...
|
||||
```
|
||||
## **Method 3 – Instrumentation Frameworks**
|
||||
|
||||
Frameworks za uhandisi kama Xposed au Frida zinaweza kutumika kuingilia njia za programu wakati wa wakati. Kwa uthibitisho wa alama za vidole, frameworks hizi zinaweza:
|
||||
Instrumentation frameworks kama Xposed au Frida zinaweza kutumika kuingilia njia za programu wakati wa wakati. Kwa uthibitisho wa alama za vidole, mifumo hii inaweza:
|
||||
|
||||
1. **Kufanya Kazi za Uthibitishaji**: Kwa kuingilia katika `onAuthenticationSucceeded`, `onAuthenticationFailed`, au `onAuthenticationError` njia za `BiometricPrompt.AuthenticationCallback`, unaweza kudhibiti matokeo ya mchakato wa uthibitisho wa alama za vidole.
|
||||
2. **Kupita SSL Pinning**: Hii inaruhusu mshambuliaji kukamata na kubadilisha trafiki kati ya mteja na seva, ikibadilisha mchakato wa uthibitisho au kuiba data nyeti.
|
||||
1. **Mock the Authentication Callbacks**: Kwa kuingilia kwenye `onAuthenticationSucceeded`, `onAuthenticationFailed`, au `onAuthenticationError` njia za `BiometricPrompt.AuthenticationCallback`, unaweza kudhibiti matokeo ya mchakato wa uthibitisho wa alama za vidole.
|
||||
2. **Bypass SSL Pinning**: Hii inaruhusu mshambuliaji kukamata na kubadilisha trafiki kati ya mteja na seva, huenda ikabadilisha mchakato wa uthibitisho au kuiba data nyeti.
|
||||
|
||||
Mfano wa amri kwa Frida:
|
||||
Example command for Frida:
|
||||
```bash
|
||||
frida -U -l script-to-bypass-authentication.js --no-pause -f com.generic.in
|
||||
```
|
||||
## **Mbinu ya 4 – Uhandisi wa Kurudi na Marekebisho ya Kanuni**
|
||||
## **Method 4 – Uhandisi wa Kurudi na Marekebisho ya Kanuni**
|
||||
|
||||
Zana za uhandisi wa kurudi kama `APKTool`, `dex2jar`, na `JD-GUI` zinaweza kutumika kubadilisha programu ya Android, kusoma kanuni yake ya chanzo, na kuelewa mfumo wake wa uthibitishaji. Hatua kwa ujumla zinajumuisha:
|
||||
|
||||
1. **Kuhariri APK**: Badilisha faili ya APK kuwa muundo unaoweza kusomwa na binadamu zaidi (kama kanuni ya Java).
|
||||
1. **Kuhariri APK**: Badilisha faili la APK kuwa muundo unaoweza kusomwa na binadamu zaidi (kama kanuni ya Java).
|
||||
2. **Kuchambua Kanuni**: Tafuta utekelezaji wa uthibitishaji wa alama za vidole na tambua udhaifu wa uwezekano (kama mifumo ya kurudi nyuma au ukaguzi usio sahihi).
|
||||
3. **Kurekebisha APK**: Baada ya kubadilisha kanuni ili kupita uthibitishaji wa alama za vidole, programu inarekebishwa, kusainiwa, na kufungwa kwenye kifaa kwa ajili ya majaribio.
|
||||
|
||||
## **Mbinu ya 5 – Kutumia Zana za Uthibitishaji za Kijadi**
|
||||
## **Method 5 – Kutumia Zana za Uthibitishaji za Kijadi**
|
||||
|
||||
Kuna zana maalum na skripti zilizoundwa ili kujaribu na kupita mifumo ya uthibitishaji. Kwa mfano:
|
||||
|
||||
1. **Moduli za MAGISK**: MAGISK ni zana kwa Android inayowaruhusu watumiaji ku-root vifaa vyao na kuongeza moduli ambazo zinaweza kubadilisha au kudanganya taarifa za kiwango cha vifaa, ikiwa ni pamoja na alama za vidole.
|
||||
2. **Skripti zilizojengwa kwa Kijadi**: Skripti zinaweza kuandikwa ili kuingiliana na Daraja la Debug la Android (ADB) au moja kwa moja na nyuma ya programu ili kuiga au kupita uthibitishaji wa alama za vidole.
|
||||
1. **Moduli za MAGISK**: MAGISK ni zana kwa Android inayowaruhusu watumiaji ku-root vifaa vyao na kuongeza moduli zinazoweza kubadilisha au kudanganya taarifa za kiwango cha vifaa, ikiwa ni pamoja na alama za vidole.
|
||||
2. **Skripti zilizojengwa kwa Kijadi**: Skripti zinaweza kuandikwa ili kuingiliana na Android Debug Bridge (ADB) au moja kwa moja na nyuma ya programu ili kuiga au kupita uthibitishaji wa alama za vidole.
|
||||
|
||||
## Marejeo
|
||||
---
|
||||
|
||||
- [https://securitycafe.ro/2022/09/05/mobile-pentesting-101-bypassing-biometric-authentication/](https://securitycafe.ro/2022/09/05/mobile-pentesting-101-bypassing-biometric-authentication/)
|
||||
## **Method 6 – Frida Hook ya Kijumla kwa `BiometricPrompt` (API 28-34)**
|
||||
|
||||
Mnamo mwaka wa 2023, skripti ya jamii ya Frida iliyopewa jina **Universal-Android-Biometric-Bypass** ilionekana kwenye CodeShare. Skripti hii inashughulikia kila overload ya `BiometricPrompt.authenticate()` pamoja na `FingerprintManager.authenticate()` ya zamani na moja kwa moja inasababisha `onAuthenticationSucceeded()` kwa **matokeo ya uthibitishaji yaliyotengenezwa yanayojumuisha `CryptoObject` isiyo na maana**. Kwa sababu inabadilika kwa dinamikali kulingana na viwango vya API, bado inafanya kazi kwenye Android 14 (API 34) ikiwa programu lengwa haina **ukaguzi wa kificho kwenye `CryptoObject` iliyorudishwa**.
|
||||
```bash
|
||||
# Install the script from CodeShare and run it against the target package
|
||||
frida -U -f com.target.app --no-pause -l universal-android-biometric-bypass.js
|
||||
```
|
||||
Key ideas
|
||||
* Kila kitu kinatokea katika nafasi ya mtumiaji – hakuna exploit ya kernel au root inahitajika.
|
||||
* Shambulio linabaki kimya kabisa kwa UI: kidirisha cha biometriki cha mfumo hakionekani kamwe.
|
||||
* Kuzuia: **daima thibitisha `result.cryptoObject` na cipher/saini zake kabla ya kufungua vipengele nyeti**.
|
||||
|
||||
## **Method 7 – Downgrade / Fallback Manipulation**
|
||||
|
||||
Kuanza na Android 11, waendelezaji wanaweza kubaini ni waithinishaji gani wanaokubalika kupitia `setAllowedAuthenticators()` (au `setDeviceCredentialAllowed()` ya zamani). Shambulio la **runtime hooking** linaweza kulazimisha bit-field ya `allowedAuthenticators` kuwa thamani dhaifu ya `BIOMETRIC_WEAK | DEVICE_CREDENTIAL`:
|
||||
```javascript
|
||||
// Frida one-liner – replace strong-only policy with weak/device-credential
|
||||
var PromptInfoBuilder = Java.use('androidx.biometric.BiometricPrompt$PromptInfo$Builder');
|
||||
PromptInfoBuilder.setAllowedAuthenticators.implementation = function(flags){
|
||||
return this.setAllowedAuthenticators(0x0002 | 0x8000); // BIOMETRIC_WEAK | DEVICE_CREDENTIAL
|
||||
};
|
||||
```
|
||||
Ikiwa programu haithibitishi `AuthenticationResult` iliyorejeshwa, mshambuliaji anaweza kubonyeza kitufe cha _PIN/Pattern_ fallback au hata kujiandikisha biometriki dhaifu mpya ili kupata ufikiaji.
|
||||
|
||||
## **Mbinu 8 – CVEs za Mtoa huduma / Kiwango cha Kernel**
|
||||
|
||||
Fuata matangazo ya usalama wa Android: makosa kadhaa ya hivi karibuni upande wa kernel yanaruhusu kupandisha hadhi ya ndani kupitia fingerprint HAL na kwa ufanisi **kuondoa au kufupisha mchakato wa sensor**. Mifano ni pamoja na:
|
||||
|
||||
* **CVE-2023-20995** – kosa la mantiki katika `captureImage` ya `CustomizedSensor.cpp` (Pixel 8, Android 13) inayoruhusu kupita kufuli bila mwingiliano wa mtumiaji.
|
||||
* **CVE-2024-53835 / CVE-2024-53840** – “kupita biometriki inayowezekana kutokana na sababu isiyo ya kawaida” iliyorekebishwa katika **tangazo la Pixel la Desemba 2024**.
|
||||
|
||||
Ingawa udhaifu huu unalenga skrini ya kufuli, mtumiaji aliye na root anaweza kuunganisha nao na makosa ya kiwango cha programu ili kupita biometriki ndani ya programu pia.
|
||||
|
||||
---
|
||||
|
||||
### Orodha ya Kuimarisha kwa Wandelezaji (Maelezo ya Haraka ya Pentester)
|
||||
|
||||
* Lazimisha `setUserAuthenticationRequired(true)` na `setInvalidatedByBiometricEnrollment(true)` unapozalisha funguo za **Keystore**. Biometriki halali inahitajika kabla funguo hiyo haijatumika.
|
||||
* Kata `CryptoObject` yenye **null au cipher / saini isiyotarajiwa**; itendee kama kosa la uthibitishaji la hatari.
|
||||
* Unapokuwa ukitumia `BiometricPrompt`, pendelea `BIOMETRIC_STRONG` na **kamwe usirudi kwa `BIOMETRIC_WEAK` au `DEVICE_CREDENTIAL`** kwa vitendo vya hatari kubwa.
|
||||
* Funga toleo jipya la `androidx.biometric` (≥1.2.0-beta02) – toleo la hivi karibuni linaongeza ukaguzi wa null-cipher kiotomatiki na kuimarisha mchanganyiko wa waithibitishaji unaoruhusiwa.
|
||||
|
||||
## Marejeleo
|
||||
|
||||
- [Universal Android Biometric Bypass – Frida CodeShare](https://codeshare.frida.re/@ax/universal-android-biometric-bypass/)
|
||||
- [Android Pixel Security Bulletin 2024-12-01](https://source.android.com/security/bulletin/pixel/2024-12-01)
|
||||
|
||||
|
||||
{{#include ../../banners/hacktricks-training.md}}
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user