hacktricks/mobile-pentesting/android-app-pentesting/bypass-biometric-authentication-android.md
Miłosz Gaczkowski 2a30e960b5 Replace references to F-Secure LABS with WithSecure Labs
F-Secure split into 2 companies in early 2022. For a while, all links to labs.f-secure.com redirected to labs.withsecure.com, but this is no longer the case - leaving some links on HackTricks broken. This commit replaces all outdated links with their current locations.
2023-12-04 13:43:41 -05:00

5.9 KiB
Raw Blame History

Bypass Biometric Authentication (Android)

☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥

These methods were copied from https://securitycafe.ro/2022/09/05/mobile-pentesting-101-bypassing-biometric-authentication/

Method 1 When the crypto object is not used

The authentication implementation relies on the callback _onAuthenticationSucceded _ being called. The researchers from WithSecure developed a Frida script that can be used to bypass the NULL _CryptoObject _ in onAuthenticationSucceeded(…). The script will automatically bypass the fingerprint when the aforementioned method is called. Here is a short example that shows the bypass for the Android Fingerprint. The complete application can be downloaded from my GitHub.

biometricPrompt = new BiometricPrompt(this, executor, new BiometricPrompt.AuthenticationCallback() {
            @Override
            public void onAuthenticationSucceeded(@NonNull BiometricPrompt.AuthenticationResult result) {
                Toast.makeText(MainActivity.this,"Success",Toast.LENGTH_LONG).show();
            }
});
frida -U -f com.st3v3nss.insecurebankingfingerprint --no-pause -l fingerprint-bypass.js

Method 2 Exception Handling

This Frida script developed by WithSecure can be used to bypass the insecure usage of the crypto object. All the script needs to do is manually call the onAuthenticationSucceded with a non-authorized (not unlocked by fingerprint) CryptoObject stored in the Keystore. The catch is if the application will attempt to use another cipher object, then an exception will be thrown. This script will attempt to call _onAuthenticationSucceded _ and catch the exception javax.crypto.IllegalBlockSizeException in Cipher class. From now on, any objects the application uses will be encrypted using this new key.

frida -U -f com.st3v3nss.insecurebankingfingerprint --no-pause -l fingerprint-bypass-via-exception-handling.js

Now, go to the fingerprint screen and wait for the authenticate() to be called. Once you see that on the screen, go ahead and type bypass() in the Frida console:

Spawning `com.st3v3nss.insecurebankingfingerprint`...                   
[Android Emulator 5554::com.st3v3nss.insecurebankingfingerprint ]-> Hooking BiometricPrompt.authenticate()...
Hooking BiometricPrompt.authenticate2()...
Hooking FingerprintManager.authenticate()...
[Android Emulator 5554::com.st3v3nss.insecurebankingfingerprint ]-> bypass()
☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥