# Bypass Biometric Authentication (Android)


<details>

<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.

</details>

## **Method 1 – Bypassing with No Crypto Object Usage**

The focus here is on the *onAuthenticationSucceeded* callback, which is crucial in the authentication process. Researchers at WithSecure developed a [Frida script](https://github.com/WithSecureLABS/android-keystore-audit/blob/master/frida-scripts/fingerprint-bypass.js), enabling the bypass of the NULL *CryptoObject* in *onAuthenticationSucceeded(...)*. The script forces an automatic bypass of the fingerprint authentication upon the method's invocation. Below is a simplified snippet demonstrating the bypass in an Android Fingerprint context, with the full application available on [GitHub](https://github.com/St3v3nsS/InsecureBanking).

```javascript
biometricPrompt = new BiometricPrompt(this, executor, new BiometricPrompt.AuthenticationCallback() {
            @Override
            public void onAuthenticationSucceeded(@NonNull BiometricPrompt.AuthenticationResult result) {
                Toast.makeText(MainActivity.this,"Success",Toast.LENGTH_LONG).show();
            }
});
```

Command to run the Frida script:

```bash
frida -U -f com.generic.insecurebankingfingerprint --no-pause -l fingerprint-bypass.js
```


## **Method 2 – Exception Handling Approach**

Another [Frida script](https://github.com/WithSecureLABS/android-keystore-audit/blob/master/frida-scripts/fingerprint-bypass-via-exception-handling.js) by WithSecure addresses bypassing insecure crypto object usage. The script invokes *onAuthenticationSucceeded* with a *CryptoObject* that hasn't been authorized by a fingerprint. If the application tries to use a different cipher object, it will trigger an exception. The script prepares to invoke *onAuthenticationSucceeded* and handle the *javax.crypto.IllegalBlockSizeException* in the _Cipher_ class, ensuring subsequent objects used by the application are encrypted with the new key.

Command to run the Frida script:

```bash
frida -U -f com.generic.insecurebankingfingerprint --no-pause -l fingerprint-bypass-via-exception-handling.js
```

Upon reaching the fingerprint screen and the initiation of `authenticate()`, type `bypass()`` in the Frida console to activate the bypass:

```
Spawning com.generic.insecurebankingfingerprint...
[Android Emulator 5554::com.generic.insecurebankingfingerprint]-> Hooking BiometricPrompt.authenticate()...
Hooking BiometricPrompt.authenticate2()...
Hooking FingerprintManager.authenticate()...
[Android Emulator 5554::com.generic.insecurebankingfingerprint]-> bypass()
```

## **Method 3 – Instrumentation Frameworks**

Instrumentation frameworks like Xposed or Frida can be used to hook into application methods at runtime. For fingerprint authentication, these frameworks can:

1. **Mock the Authentication Callbacks**: By hooking into the `onAuthenticationSucceeded`, `onAuthenticationFailed`, or `onAuthenticationError` methods of the `BiometricPrompt.AuthenticationCallback`, you can control the outcome of the fingerprint authentication process.
2. **Bypass SSL Pinning**: This allows an attacker to intercept and modify the traffic between the client and the server, potentially altering the authentication process or stealing sensitive data.

Example command for Frida:

```bash
frida -U -l script-to-bypass-authentication.js --no-pause -f com.generic.in
```

## **Method 4 – Reverse Engineering & Code Modification**

Reverse engineering tools like `APKTool`, `dex2jar`, and `JD-GUI` can be used to decompile an Android application, read its source code, and understand its authentication mechanism. The steps generally include:

1. **Decompiling the APK**: Convert the APK file to a more human-readable format (like Java code).
2. **Analyzing the Code**: Look for the implementation of fingerprint authentication and identify potential weaknesses (like fallback mechanisms or improper validation checks).
3. **Recompiling the APK**: After modifying the code to bypass fingerprint authentication, the application is recompiled, signed, and installed on the device for testing.

## **Method 5 – Using Custom Authentication Tools**

There are specialized tools and scripts designed to test and bypass authentication mechanisms. For instance:

1. **MAGISK Modules**: MAGISK is a tool for Android that allows users to root their devices and add modules that can modify or spoof hardware-level information, including fingerprints.
2. **Custom-built Scripts**: Scripts can be written to interact with the Android Debug Bridge (ADB) or directly with the application's backend to simulate or bypass fingerprint authentication.

## References
* [https://securitycafe.ro/2022/09/05/mobile-pentesting-101-bypassing-biometric-authentication/](https://securitycafe.ro/2022/09/05/mobile-pentesting-101-bypassing-biometric-authentication/)

<details>

<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.

</details>