# Bypass Biometric Authentication (Android) {{#include ../../banners/hacktricks-training.md}} ## **Method 1 – Bypassing with No Crypto Object Usage** The focus here is on the _onAuthenticationSucceeded_ callback, which is crucial in the authentication process. Researchers at WithSecure developed a [Frida script](https://github.com/WithSecureLABS/android-keystore-audit/blob/master/frida-scripts/fingerprint-bypass.js), enabling the bypass of the NULL _CryptoObject_ in _onAuthenticationSucceeded(...)_. The script forces an automatic bypass of the fingerprint authentication upon the method's invocation. Below is a simplified snippet demonstrating the bypass in an Android Fingerprint context, with the full application available on [GitHub](https://github.com/St3v3nsS/InsecureBanking). ```javascript biometricPrompt = new BiometricPrompt(this, executor, new BiometricPrompt.AuthenticationCallback() { @Override public void onAuthenticationSucceeded(@NonNull BiometricPrompt.AuthenticationResult result) { Toast.makeText(MainActivity.this,"Success",Toast.LENGTH_LONG).show(); } }); ``` Command to run the Frida script: ```bash frida -U -f com.generic.insecurebankingfingerprint --no-pause -l fingerprint-bypass.js ``` ## **Method 2 – Exception Handling Approach** Another [Frida script](https://github.com/WithSecureLABS/android-keystore-audit/blob/master/frida-scripts/fingerprint-bypass-via-exception-handling.js) by WithSecure addresses bypassing insecure crypto object usage. The script invokes _onAuthenticationSucceeded_ with a _CryptoObject_ that hasn't been authorized by a fingerprint. If the application tries to use a different cipher object, it will trigger an exception. The script prepares to invoke _onAuthenticationSucceeded_ and handle the _javax.crypto.IllegalBlockSizeException_ in the _Cipher_ class, ensuring subsequent objects used by the application are encrypted with the new key. Command to run the Frida script: ```bash frida -U -f com.generic.insecurebankingfingerprint --no-pause -l fingerprint-bypass-via-exception-handling.js ``` Upon reaching the fingerprint screen and the initiation of `authenticate()`, type `bypass()` in the Frida console to activate the bypass: ``` Spawning com.generic.insecurebankingfingerprint... [Android Emulator 5554::com.generic.insecurebankingfingerprint]-> Hooking BiometricPrompt.authenticate()... Hooking BiometricPrompt.authenticate2()... Hooking FingerprintManager.authenticate()... [Android Emulator 5554::com.generic.insecurebankingfingerprint]-> bypass() ``` ## **Method 3 – Instrumentation Frameworks** Instrumentation frameworks like Xposed or Frida can be used to hook into application methods at runtime. For fingerprint authentication, these frameworks can: 1. **Mock the Authentication Callbacks**: By hooking into the `onAuthenticationSucceeded`, `onAuthenticationFailed`, or `onAuthenticationError` methods of the `BiometricPrompt.AuthenticationCallback`, you can control the outcome of the fingerprint authentication process. 2. **Bypass SSL Pinning**: This allows an attacker to intercept and modify the traffic between the client and the server, potentially altering the authentication process or stealing sensitive data. Example command for Frida: ```bash frida -U -l script-to-bypass-authentication.js --no-pause -f com.generic.in ``` ## **Method 4 – Reverse Engineering & Code Modification** Reverse engineering tools like `APKTool`, `dex2jar`, and `JD-GUI` can be used to decompile an Android application, read its source code, and understand its authentication mechanism. The steps generally include: 1. **Decompiling the APK**: Convert the APK file to a more human-readable format (like Java code). 2. **Analyzing the Code**: Look for the implementation of fingerprint authentication and identify potential weaknesses (like fallback mechanisms or improper validation checks). 3. **Recompiling the APK**: After modifying the code to bypass fingerprint authentication, the application is recompiled, signed, and installed on the device for testing. ## **Method 5 – Using Custom Authentication Tools** There are specialized tools and scripts designed to test and bypass authentication mechanisms. For instance: 1. **MAGISK Modules**: MAGISK is a tool for Android that allows users to root their devices and add modules that can modify or spoof hardware-level information, including fingerprints. 2. **Custom-built Scripts**: Scripts can be written to interact with the Android Debug Bridge (ADB) or directly with the application's backend to simulate or bypass fingerprint authentication. --- ## **Method 6 – Universal Frida Hook for `BiometricPrompt` (API 28-34)** In 2023 a community Frida script branded **Universal-Android-Biometric-Bypass** appeared on CodeShare. The script hooks every overload of `BiometricPrompt.authenticate()` as well as legacy `FingerprintManager.authenticate()` and directly triggers `onAuthenticationSucceeded()` with a **fabricated `AuthenticationResult` containing a null `CryptoObject`**. Because it adapts dynamically to API levels, it still works on Android 14 (API 34) if the target app performs **no cryptographic checks on the returned `CryptoObject`**. ```bash # Install the script from CodeShare and run it against the target package frida -U -f com.target.app --no-pause -l universal-android-biometric-bypass.js ``` Key ideas * Everything happens in user space – no kernel exploit or root is required. * The attack remains fully silent to the UI: the system biometric dialog never appears. * Mitigation: **always verify `result.cryptoObject` and its cipher/signature before unlocking sensitive features**. ## **Method 7 – Downgrade / Fallback Manipulation** Starting with Android 11, developers can specify which authenticators are acceptable via `setAllowedAuthenticators()` (or the older `setDeviceCredentialAllowed()`). A **runtime hooking** attack can force the `allowedAuthenticators` bit-field to the weaker `BIOMETRIC_WEAK | DEVICE_CREDENTIAL` value: ```javascript // Frida one-liner – replace strong-only policy with weak/device-credential var PromptInfoBuilder = Java.use('androidx.biometric.BiometricPrompt$PromptInfo$Builder'); PromptInfoBuilder.setAllowedAuthenticators.implementation = function(flags){ return this.setAllowedAuthenticators(0x0002 | 0x8000); // BIOMETRIC_WEAK | DEVICE_CREDENTIAL }; ``` If the app does **not** subsequently validate the returned `AuthenticationResult`, an attacker can simply press the _PIN/Pattern_ fallback button or even register a new weak biometric to gain access. ## **Method 8 – Vendor / Kernel-level CVEs** Keep an eye on Android security bulletins: several recent kernel-side bugs allow local privilege escalation through the fingerprint HAL and effectively **disable or short-circuit the sensor pipeline**. Examples include: * **CVE-2023-20995** – logic error in `captureImage` of `CustomizedSensor.cpp` (Pixel 8, Android 13) allowing unlock bypass without user interaction. * **CVE-2024-53835 / CVE-2024-53840** – “possible biometric bypass due to an unusual root cause” patched in the **December 2024 Pixel bulletin**. Although these vulnerabilities target the lock-screen, a rooted tester may chain them with app-level flaws to bypass in-app biometrics as well. --- ### Hardening Checklist for Developers (Quick Pentester Notes) * Enforce `setUserAuthenticationRequired(true)` and `setInvalidatedByBiometricEnrollment(true)` when generating **Keystore** keys. A valid biometric is then required before the key can be used. * Reject a `CryptoObject` with **null or unexpected cipher / signature**; treat this as a fatal authentication error. * When using `BiometricPrompt`, prefer `BIOMETRIC_STRONG` and **never fall back to `BIOMETRIC_WEAK` or `DEVICE_CREDENTIAL`** for high-risk actions. * Pin the latest `androidx.biometric` version (≥1.2.0-beta02) – recent releases add automatic null-cipher checks and tighten allowed authenticator combinations. ## References - [Universal Android Biometric Bypass – Frida CodeShare](https://codeshare.frida.re/@ax/universal-android-biometric-bypass/) - [Android Pixel Security Bulletin 2024-12-01](https://source.android.com/security/bulletin/pixel/2024-12-01) {{#include ../../banners/hacktricks-training.md}}