diff --git a/src/mobile-pentesting/android-app-pentesting/bypass-biometric-authentication-android.md b/src/mobile-pentesting/android-app-pentesting/bypass-biometric-authentication-android.md index 97ec547f9c6..c43d86efe24 100644 --- a/src/mobile-pentesting/android-app-pentesting/bypass-biometric-authentication-android.md +++ b/src/mobile-pentesting/android-app-pentesting/bypass-biometric-authentication-android.md @@ -32,7 +32,7 @@ Command to run the Frida script: frida -U -f com.generic.insecurebankingfingerprint --no-pause -l fingerprint-bypass-via-exception-handling.js ``` -Upon reaching the fingerprint screen and the initiation of `authenticate()`, type `bypass()`` in the Frida console to activate the bypass: +Upon reaching the fingerprint screen and the initiation of `authenticate()`, type `bypass()` in the Frida console to activate the bypass: ``` Spawning com.generic.insecurebankingfingerprint... @@ -70,12 +70,59 @@ There are specialized tools and scripts designed to test and bypass authenticati 1. **MAGISK Modules**: MAGISK is a tool for Android that allows users to root their devices and add modules that can modify or spoof hardware-level information, including fingerprints. 2. **Custom-built Scripts**: Scripts can be written to interact with the Android Debug Bridge (ADB) or directly with the application's backend to simulate or bypass fingerprint authentication. -## References +--- -- [https://securitycafe.ro/2022/09/05/mobile-pentesting-101-bypassing-biometric-authentication/](https://securitycafe.ro/2022/09/05/mobile-pentesting-101-bypassing-biometric-authentication/) +## **Method 6 – Universal Frida Hook for `BiometricPrompt` (API 28-34)** +In 2023 a community Frida script branded **Universal-Android-Biometric-Bypass** appeared on CodeShare. The script hooks every overload of `BiometricPrompt.authenticate()` as well as legacy `FingerprintManager.authenticate()` and directly triggers `onAuthenticationSucceeded()` with a **fabricated `AuthenticationResult` containing a null `CryptoObject`**. Because it adapts dynamically to API levels, it still works on Android 14 (API 34) if the target app performs **no cryptographic checks on the returned `CryptoObject`**. -{{#include ../../banners/hacktricks-training.md}} +```bash +# Install the script from CodeShare and run it against the target package +frida -U -f com.target.app --no-pause -l universal-android-biometric-bypass.js +``` + +Key ideas +* Everything happens in user space – no kernel exploit or root is required. +* The attack remains fully silent to the UI: the system biometric dialog never appears. +* Mitigation: **always verify `result.cryptoObject` and its cipher/signature before unlocking sensitive features**. + +## **Method 7 – Downgrade / Fallback Manipulation** + +Starting with Android 11, developers can specify which authenticators are acceptable via `setAllowedAuthenticators()` (or the older `setDeviceCredentialAllowed()`). A **runtime hooking** attack can force the `allowedAuthenticators` bit-field to the weaker +`BIOMETRIC_WEAK | DEVICE_CREDENTIAL` value: + +```javascript +// Frida one-liner – replace strong-only policy with weak/device-credential +var PromptInfoBuilder = Java.use('androidx.biometric.BiometricPrompt$PromptInfo$Builder'); +PromptInfoBuilder.setAllowedAuthenticators.implementation = function(flags){ + return this.setAllowedAuthenticators(0x0002 | 0x8000); // BIOMETRIC_WEAK | DEVICE_CREDENTIAL +}; +``` + +If the app does **not** subsequently validate the returned `AuthenticationResult`, an attacker can simply press the _PIN/Pattern_ fallback button or even register a new weak biometric to gain access. +## **Method 8 – Vendor / Kernel-level CVEs** +Keep an eye on Android security bulletins: several recent kernel-side bugs allow local privilege escalation through the fingerprint HAL and effectively **disable or short-circuit the sensor pipeline**. Examples include: +* **CVE-2023-20995** – logic error in `captureImage` of `CustomizedSensor.cpp` (Pixel 8, Android 13) allowing unlock bypass without user interaction. +* **CVE-2024-53835 / CVE-2024-53840** – “possible biometric bypass due to an unusual root cause” patched in the **December 2024 Pixel bulletin**. + +Although these vulnerabilities target the lock-screen, a rooted tester may chain them with app-level flaws to bypass in-app biometrics as well. + +--- + +### Hardening Checklist for Developers (Quick Pentester Notes) + +* Enforce `setUserAuthenticationRequired(true)` and `setInvalidatedByBiometricEnrollment(true)` when generating **Keystore** keys. A valid biometric is then required before the key can be used. +* Reject a `CryptoObject` with **null or unexpected cipher / signature**; treat this as a fatal authentication error. +* When using `BiometricPrompt`, prefer `BIOMETRIC_STRONG` and **never fall back to `BIOMETRIC_WEAK` or `DEVICE_CREDENTIAL`** for high-risk actions. +* Pin the latest `androidx.biometric` version (≥1.2.0-beta02) – recent releases add automatic null-cipher checks and tighten allowed authenticator combinations. + +## References + +- [Universal Android Biometric Bypass – Frida CodeShare](https://codeshare.frida.re/@ax/universal-android-biometric-bypass/) +- [Android Pixel Security Bulletin 2024-12-01](https://source.android.com/security/bulletin/pixel/2024-12-01) + + +{{#include ../../banners/hacktricks-training.md}}