maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add content from: Research Update: Enhanced src/mobile-pentesting/android-app-...

Browse Source
This commit is contained in:
HackTricks News Bot 2025-07-26 01:30:14 +00:00
parent d753b3ed2f
commit e3daecf92e
1 changed files with 52 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

57
src/mobile-pentesting/android-app-pentesting/bypass-biometric-authentication-android.md
View File

@ -32,7 +32,7 @@ Command to run the Frida script:
frida -U -f com.generic.insecurebankingfingerprint --no-pause -l fingerprint-bypass-via-exception-handling.js
```
Upon reaching the fingerprint screen and the initiation of `authenticate()`, type `bypass()`` in the Frida console to activate the bypass:
Upon reaching the fingerprint screen and the initiation of `authenticate()`, type `bypass()` in the Frida console to activate the bypass:
```
Spawning com.generic.insecurebankingfingerprint...
@ -70,12 +70,59 @@ There are specialized tools and scripts designed to test and bypass authenticati
1. **MAGISK Modules**: MAGISK is a tool for Android that allows users to root their devices and add modules that can modify or spoof hardware-level information, including fingerprints.
2. **Custom-built Scripts**: Scripts can be written to interact with the Android Debug Bridge (ADB) or directly with the application's backend to simulate or bypass fingerprint authentication.
---
## **Method 6 Universal Frida Hook for `BiometricPrompt` (API 28-34)**
In 2023 a community Frida script branded **Universal-Android-Biometric-Bypass** appeared on CodeShare. The script hooks every overload of `BiometricPrompt.authenticate()` as well as legacy `FingerprintManager.authenticate()` and directly triggers `onAuthenticationSucceeded()` with a **fabricated `AuthenticationResult` containing a null `CryptoObject`**. Because it adapts dynamically to API levels, it still works on Android 14 (API 34) if the target app performs **no cryptographic checks on the returned `CryptoObject`**.
```bash
# Install the script from CodeShare and run it against the target package
frida -U -f com.target.app --no-pause -l universal-android-biometric-bypass.js
```
Key ideas
* Everything happens in user space no kernel exploit or root is required.
* The attack remains fully silent to the UI: the system biometric dialog never appears.
* Mitigation: **always verify `result.cryptoObject` and its cipher/signature before unlocking sensitive features**.
## **Method 7 Downgrade / Fallback Manipulation**
Starting with Android 11, developers can specify which authenticators are acceptable via `setAllowedAuthenticators()` (or the older `setDeviceCredentialAllowed()`). A **runtime hooking** attack can force the `allowedAuthenticators` bit-field to the weaker
`BIOMETRIC_WEAK | DEVICE_CREDENTIAL` value:
```javascript
// Frida one-liner replace strong-only policy with weak/device-credential
var PromptInfoBuilder = Java.use('androidx.biometric.BiometricPrompt$PromptInfo$Builder');
PromptInfoBuilder.setAllowedAuthenticators.implementation = function(flags){
return this.setAllowedAuthenticators(0x0002 | 0x8000); // BIOMETRIC_WEAK | DEVICE_CREDENTIAL
};
```
If the app does **not** subsequently validate the returned `AuthenticationResult`, an attacker can simply press the _PIN/Pattern_ fallback button or even register a new weak biometric to gain access.
## **Method 8 Vendor / Kernel-level CVEs**
Keep an eye on Android security bulletins: several recent kernel-side bugs allow local privilege escalation through the fingerprint HAL and effectively **disable or short-circuit the sensor pipeline**. Examples include:
* **CVE-2023-20995** logic error in `captureImage` of `CustomizedSensor.cpp` (Pixel 8, Android 13) allowing unlock bypass without user interaction.
* **CVE-2024-53835 / CVE-2024-53840** “possible biometric bypass due to an unusual root cause” patched in the **December 2024 Pixel bulletin**.
Although these vulnerabilities target the lock-screen, a rooted tester may chain them with app-level flaws to bypass in-app biometrics as well.
---
### Hardening Checklist for Developers (Quick Pentester Notes)
* Enforce `setUserAuthenticationRequired(true)` and `setInvalidatedByBiometricEnrollment(true)` when generating **Keystore** keys. A valid biometric is then required before the key can be used.
* Reject a `CryptoObject` with **null or unexpected cipher / signature**; treat this as a fatal authentication error.
* When using `BiometricPrompt`, prefer `BIOMETRIC_STRONG` and **never fall back to `BIOMETRIC_WEAK` or `DEVICE_CREDENTIAL`** for high-risk actions.
* Pin the latest `androidx.biometric` version (≥1.2.0-beta02) recent releases add automatic null-cipher checks and tighten allowed authenticator combinations.
## References
- [https://securitycafe.ro/2022/09/05/mobile-pentesting-101-bypassing-biometric-authentication/](https://securitycafe.ro/2022/09/05/mobile-pentesting-101-bypassing-biometric-authentication/)
- [Universal Android Biometric Bypass Frida CodeShare](https://codeshare.frida.re/@ax/universal-android-biometric-bypass/)
- [Android Pixel Security Bulletin 2024-12-01](https://source.android.com/security/bulletin/pixel/2024-12-01)
{{#include ../../banners/hacktricks-training.md}}