maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity
hacktricks/src/mobile-pentesting/android-app-pentesting/bypass-biometric-authentication-android.md

129 lines
8.2 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Bypass Biometric Authentication (Android)
{{#include ../../banners/hacktricks-training.md}}
## **Method 1 Bypassing with No Crypto Object Usage**
The focus here is on the _onAuthenticationSucceeded_ callback, which is crucial in the authentication process. Researchers at WithSecure developed a [Frida script](https://github.com/WithSecureLABS/android-keystore-audit/blob/master/frida-scripts/fingerprint-bypass.js), enabling the bypass of the NULL _CryptoObject_ in _onAuthenticationSucceeded(...)_. The script forces an automatic bypass of the fingerprint authentication upon the method's invocation. Below is a simplified snippet demonstrating the bypass in an Android Fingerprint context, with the full application available on [GitHub](https://github.com/St3v3nsS/InsecureBanking).
```javascript
biometricPrompt = new BiometricPrompt(this, executor, new BiometricPrompt.AuthenticationCallback() {
@Override
public void onAuthenticationSucceeded(@NonNull BiometricPrompt.AuthenticationResult result) {
Toast.makeText(MainActivity.this,"Success",Toast.LENGTH_LONG).show();
}
});
```
Command to run the Frida script:
```bash
frida -U -f com.generic.insecurebankingfingerprint --no-pause -l fingerprint-bypass.js
```
## **Method 2 Exception Handling Approach**
Another [Frida script](https://github.com/WithSecureLABS/android-keystore-audit/blob/master/frida-scripts/fingerprint-bypass-via-exception-handling.js) by WithSecure addresses bypassing insecure crypto object usage. The script invokes _onAuthenticationSucceeded_ with a _CryptoObject_ that hasn't been authorized by a fingerprint. If the application tries to use a different cipher object, it will trigger an exception. The script prepares to invoke _onAuthenticationSucceeded_ and handle the _javax.crypto.IllegalBlockSizeException_ in the _Cipher_ class, ensuring subsequent objects used by the application are encrypted with the new key.
Command to run the Frida script:
```bash
frida -U -f com.generic.insecurebankingfingerprint --no-pause -l fingerprint-bypass-via-exception-handling.js
```
Upon reaching the fingerprint screen and the initiation of `authenticate()`, type `bypass()` in the Frida console to activate the bypass:
```
Spawning com.generic.insecurebankingfingerprint...
[Android Emulator 5554::com.generic.insecurebankingfingerprint]-> Hooking BiometricPrompt.authenticate()...
Hooking BiometricPrompt.authenticate2()...
Hooking FingerprintManager.authenticate()...
[Android Emulator 5554::com.generic.insecurebankingfingerprint]-> bypass()
```
## **Method 3 Instrumentation Frameworks**
Instrumentation frameworks like Xposed or Frida can be used to hook into application methods at runtime. For fingerprint authentication, these frameworks can:
1. **Mock the Authentication Callbacks**: By hooking into the `onAuthenticationSucceeded`, `onAuthenticationFailed`, or `onAuthenticationError` methods of the `BiometricPrompt.AuthenticationCallback`, you can control the outcome of the fingerprint authentication process.
2. **Bypass SSL Pinning**: This allows an attacker to intercept and modify the traffic between the client and the server, potentially altering the authentication process or stealing sensitive data.
Example command for Frida:
```bash
frida -U -l script-to-bypass-authentication.js --no-pause -f com.generic.in
```
## **Method 4 Reverse Engineering & Code Modification**
Reverse engineering tools like `APKTool`, `dex2jar`, and `JD-GUI` can be used to decompile an Android application, read its source code, and understand its authentication mechanism. The steps generally include:
1. **Decompiling the APK**: Convert the APK file to a more human-readable format (like Java code).
2. **Analyzing the Code**: Look for the implementation of fingerprint authentication and identify potential weaknesses (like fallback mechanisms or improper validation checks).
3. **Recompiling the APK**: After modifying the code to bypass fingerprint authentication, the application is recompiled, signed, and installed on the device for testing.
## **Method 5 Using Custom Authentication Tools**
There are specialized tools and scripts designed to test and bypass authentication mechanisms. For instance:
1. **MAGISK Modules**: MAGISK is a tool for Android that allows users to root their devices and add modules that can modify or spoof hardware-level information, including fingerprints.
2. **Custom-built Scripts**: Scripts can be written to interact with the Android Debug Bridge (ADB) or directly with the application's backend to simulate or bypass fingerprint authentication.
---
## **Method 6 Universal Frida Hook for `BiometricPrompt` (API 28-34)**
In 2023 a community Frida script branded **Universal-Android-Biometric-Bypass** appeared on CodeShare. The script hooks every overload of `BiometricPrompt.authenticate()` as well as legacy `FingerprintManager.authenticate()` and directly triggers `onAuthenticationSucceeded()` with a **fabricated `AuthenticationResult` containing a null `CryptoObject`**. Because it adapts dynamically to API levels, it still works on Android 14 (API 34) if the target app performs **no cryptographic checks on the returned `CryptoObject`**.
```bash
# Install the script from CodeShare and run it against the target package
frida -U -f com.target.app --no-pause -l universal-android-biometric-bypass.js
```
Key ideas
* Everything happens in user space no kernel exploit or root is required.
* The attack remains fully silent to the UI: the system biometric dialog never appears.
* Mitigation: **always verify `result.cryptoObject` and its cipher/signature before unlocking sensitive features**.
## **Method 7 Downgrade / Fallback Manipulation**
Starting with Android 11, developers can specify which authenticators are acceptable via `setAllowedAuthenticators()` (or the older `setDeviceCredentialAllowed()`). A **runtime hooking** attack can force the `allowedAuthenticators` bit-field to the weaker
`BIOMETRIC_WEAK | DEVICE_CREDENTIAL` value:
```javascript
// Frida one-liner replace strong-only policy with weak/device-credential
var PromptInfoBuilder = Java.use('androidx.biometric.BiometricPrompt$PromptInfo$Builder');
PromptInfoBuilder.setAllowedAuthenticators.implementation = function(flags){
return this.setAllowedAuthenticators(0x0002 | 0x8000); // BIOMETRIC_WEAK | DEVICE_CREDENTIAL
};
```
If the app does **not** subsequently validate the returned `AuthenticationResult`, an attacker can simply press the _PIN/Pattern_ fallback button or even register a new weak biometric to gain access.
## **Method 8 Vendor / Kernel-level CVEs**
Keep an eye on Android security bulletins: several recent kernel-side bugs allow local privilege escalation through the fingerprint HAL and effectively **disable or short-circuit the sensor pipeline**. Examples include:
* **CVE-2023-20995** logic error in `captureImage` of `CustomizedSensor.cpp` (Pixel 8, Android 13) allowing unlock bypass without user interaction.
* **CVE-2024-53835 / CVE-2024-53840** “possible biometric bypass due to an unusual root cause” patched in the **December 2024 Pixel bulletin**.
Although these vulnerabilities target the lock-screen, a rooted tester may chain them with app-level flaws to bypass in-app biometrics as well.
---
### Hardening Checklist for Developers (Quick Pentester Notes)
* Enforce `setUserAuthenticationRequired(true)` and `setInvalidatedByBiometricEnrollment(true)` when generating **Keystore** keys. A valid biometric is then required before the key can be used.
* Reject a `CryptoObject` with **null or unexpected cipher / signature**; treat this as a fatal authentication error.
* When using `BiometricPrompt`, prefer `BIOMETRIC_STRONG` and **never fall back to `BIOMETRIC_WEAK` or `DEVICE_CREDENTIAL`** for high-risk actions.
* Pin the latest `androidx.biometric` version (≥1.2.0-beta02) recent releases add automatic null-cipher checks and tighten allowed authenticator combinations.
## References
- [Universal Android Biometric Bypass Frida CodeShare](https://codeshare.frida.re/@ax/universal-android-biometric-bypass/)
- [Android Pixel Security Bulletin 2024-12-01](https://source.android.com/security/bulletin/pixel/2024-12-01)
{{#include ../../banners/hacktricks-training.md}}
Reference in New Issue View Git Blame Copy Permalink