Skip to content

Bypass Biometric Authentication (Android) โ€‹

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Method 1 โ€“ Bypassing with No Crypto Object Usage โ€‹

The focus here is on the onAuthenticationSucceeded callback, which is crucial in the authentication process. Researchers at WithSecure developed a Frida script, enabling the bypass of the NULL CryptoObject in onAuthenticationSucceeded(...). The script forces an automatic bypass of the fingerprint authentication upon the method's invocation. Below is a simplified snippet demonstrating the bypass in an Android Fingerprint context, with the full application available on GitHub.

javascript
biometricPrompt = new BiometricPrompt(this, executor, new BiometricPrompt.AuthenticationCallback() {
            @Override
            public void onAuthenticationSucceeded(@NonNull BiometricPrompt.AuthenticationResult result) {
                Toast.makeText(MainActivity.this,"Success",Toast.LENGTH_LONG).show();
            }
});

Command to run the Frida script:

bash
frida -U -f com.generic.insecurebankingfingerprint --no-pause -l fingerprint-bypass.js

Method 2 โ€“ Exception Handling Approach โ€‹

Another Frida script by WithSecure addresses bypassing insecure crypto object usage. The script invokes onAuthenticationSucceeded with a CryptoObject that hasn't been authorized by a fingerprint. If the application tries to use a different cipher object, it will trigger an exception. The script prepares to invoke onAuthenticationSucceeded and handle the javax.crypto.IllegalBlockSizeException in the Cipher class, ensuring subsequent objects used by the application are encrypted with the new key.

Command to run the Frida script:

bash
frida -U -f com.generic.insecurebankingfingerprint --no-pause -l fingerprint-bypass-via-exception-handling.js

Upon reaching the fingerprint screen and the initiation of authenticate(), type `bypass()`` in the Frida console to activate the bypass:

Spawning com.generic.insecurebankingfingerprint...
[Android Emulator 5554::com.generic.insecurebankingfingerprint]-> Hooking BiometricPrompt.authenticate()...
Hooking BiometricPrompt.authenticate2()...
Hooking FingerprintManager.authenticate()...
[Android Emulator 5554::com.generic.insecurebankingfingerprint]-> bypass()

Method 3 โ€“ Instrumentation Frameworks โ€‹

Instrumentation frameworks like Xposed or Frida can be used to hook into application methods at runtime. For fingerprint authentication, these frameworks can:

  1. Mock the Authentication Callbacks: By hooking into the onAuthenticationSucceeded, onAuthenticationFailed, or onAuthenticationError methods of the BiometricPrompt.AuthenticationCallback, you can control the outcome of the fingerprint authentication process.
  2. Bypass SSL Pinning: This allows an attacker to intercept and modify the traffic between the client and the server, potentially altering the authentication process or stealing sensitive data.

Example command for Frida:

bash
frida -U -l script-to-bypass-authentication.js --no-pause -f com.generic.in

Method 4 โ€“ Reverse Engineering & Code Modification โ€‹

Reverse engineering tools like APKTool, dex2jar, and JD-GUI can be used to decompile an Android application, read its source code, and understand its authentication mechanism. The steps generally include:

  1. Decompiling the APK: Convert the APK file to a more human-readable format (like Java code).
  2. Analyzing the Code: Look for the implementation of fingerprint authentication and identify potential weaknesses (like fallback mechanisms or improper validation checks).
  3. Recompiling the APK: After modifying the code to bypass fingerprint authentication, the application is recompiled, signed, and installed on the device for testing.

Method 5 โ€“ Using Custom Authentication Tools โ€‹

There are specialized tools and scripts designed to test and bypass authentication mechanisms. For instance:

  1. MAGISK Modules: MAGISK is a tool for Android that allows users to root their devices and add modules that can modify or spoof hardware-level information, including fingerprints.
  2. Custom-built Scripts: Scripts can be written to interact with the Android Debug Bridge (ADB) or directly with the application's backend to simulate or bypass fingerprint authentication.

References โ€‹

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!