You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
@@ -70,12 +70,59 @@ There are specialized tools and scripts designed to test and bypass authenticati
70
70
1.**MAGISK Modules**: MAGISK is a tool for Android that allows users to root their devices and add modules that can modify or spoof hardware-level information, including fingerprints.
71
71
2.**Custom-built Scripts**: Scripts can be written to interact with the Android Debug Bridge (ADB) or directly with the application's backend to simulate or bypass fingerprint authentication.
In 2023 a community Frida script branded **Universal-Android-Biometric-Bypass** appeared on CodeShare. The script hooks every overload of `BiometricPrompt.authenticate()` as well as legacy `FingerprintManager.authenticate()` and directly triggers `onAuthenticationSucceeded()` with a **fabricated `AuthenticationResult` containing a null `CryptoObject`**. Because it adapts dynamically to API levels, it still works on Android 14 (API 34) if the target app performs **no cryptographic checks on the returned `CryptoObject`**.
77
78
78
-
{{#include ../../banners/hacktricks-training.md}}
79
+
```bash
80
+
# Install the script from CodeShare and run it against the target package
Starting with Android 11, developers can specify which authenticators are acceptable via `setAllowedAuthenticators()` (or the older `setDeviceCredentialAllowed()`). A **runtime hooking** attack can force the `allowedAuthenticators` bit-field to the weaker
92
+
`BIOMETRIC_WEAK | DEVICE_CREDENTIAL` value:
93
+
94
+
```javascript
95
+
// Frida one-liner – replace strong-only policy with weak/device-credential
96
+
var PromptInfoBuilder =Java.use('androidx.biometric.BiometricPrompt$PromptInfo$Builder');
If the app does **not** subsequently validate the returned `AuthenticationResult`, an attacker can simply press the _PIN/Pattern_ fallback button or even register a new weak biometric to gain access.
79
103
104
+
## **Method 8 – Vendor / Kernel-level CVEs**
80
105
106
+
Keep an eye on Android security bulletins: several recent kernel-side bugs allow local privilege escalation through the fingerprint HAL and effectively **disable or short-circuit the sensor pipeline**. Examples include:
81
107
108
+
***CVE-2023-20995** – logic error in `captureImage` of `CustomizedSensor.cpp` (Pixel 8, Android 13) allowing unlock bypass without user interaction.
109
+
***CVE-2024-53835 / CVE-2024-53840** – “possible biometric bypass due to an unusual root cause” patched in the **December 2024 Pixel bulletin**.
110
+
111
+
Although these vulnerabilities target the lock-screen, a rooted tester may chain them with app-level flaws to bypass in-app biometrics as well.
112
+
113
+
---
114
+
115
+
### Hardening Checklist for Developers (Quick Pentester Notes)
116
+
117
+
* Enforce `setUserAuthenticationRequired(true)` and `setInvalidatedByBiometricEnrollment(true)` when generating **Keystore** keys. A valid biometric is then required before the key can be used.
118
+
* Reject a `CryptoObject` with **null or unexpected cipher / signature**; treat this as a fatal authentication error.
119
+
* When using `BiometricPrompt`, prefer `BIOMETRIC_STRONG` and **never fall back to `BIOMETRIC_WEAK` or `DEVICE_CREDENTIAL`** for high-risk actions.
120
+
* Pin the latest `androidx.biometric` version (≥1.2.0-beta02) – recent releases add automatic null-cipher checks and tighten allowed authenticator combinations.
0 commit comments