Bypass Biometric Authentication (Android)

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access to the latest version of the PEASS or download HackTricks in PDF? Check the SUBSCRIPTION PLANS!
Discover The PEASS Family, our collection of exclusive NFTs
Get the official PEASS & HackTricks swag
Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦@carlospolopm.
Share your hacking tricks by submitting PRs to the hacktricks repo and hacktricks-cloud repo.

Method 1 – Bypassing with No Crypto Object Usage

The focus here is on the onAuthenticationSucceeded callback, which is crucial in the authentication process. Researchers at WithSecure developed a Frida script, enabling the bypass of the NULL CryptoObject in onAuthenticationSucceeded(...). The script forces an automatic bypass of the fingerprint authentication upon the method's invocation. Below is a simplified snippet demonstrating the bypass in an Android Fingerprint context, with the full application available on GitHub.

javascript

biometricPrompt = new BiometricPrompt(this, executor, new BiometricPrompt.AuthenticationCallback() {
            @Override
            public void onAuthenticationSucceeded(@NonNull BiometricPrompt.AuthenticationResult result) {
                Toast.makeText(MainActivity.this,"Success",Toast.LENGTH_LONG).show();
            }
});

Command to run the Frida script:

bash

frida -U -f com.generic.insecurebankingfingerprint --no-pause -l fingerprint-bypass.js

Method 2 – Exception Handling Approach

Another Frida script by WithSecure addresses bypassing insecure crypto object usage. The script invokes onAuthenticationSucceeded with a CryptoObject that hasn't been authorized by a fingerprint. If the application tries to use a different cipher object, it will trigger an exception. The script prepares to invoke onAuthenticationSucceeded and handle the javax.crypto.IllegalBlockSizeException in the Cipher class, ensuring subsequent objects used by the application are encrypted with the new key.

Command to run the Frida script:

bash

frida -U -f com.generic.insecurebankingfingerprint --no-pause -l fingerprint-bypass-via-exception-handling.js

Upon reaching the fingerprint screen and the initiation of authenticate(), type `bypass()`` in the Frida console to activate the bypass:

Spawning com.generic.insecurebankingfingerprint...
[Android Emulator 5554::com.generic.insecurebankingfingerprint]-> Hooking BiometricPrompt.authenticate()...
Hooking BiometricPrompt.authenticate2()...
Hooking FingerprintManager.authenticate()...
[Android Emulator 5554::com.generic.insecurebankingfingerprint]-> bypass()

Method 3 – Instrumentation Frameworks

Instrumentation frameworks like Xposed or Frida can be used to hook into application methods at runtime. For fingerprint authentication, these frameworks can:

Mock the Authentication Callbacks: By hooking into the onAuthenticationSucceeded, onAuthenticationFailed, or onAuthenticationError methods of the BiometricPrompt.AuthenticationCallback, you can control the outcome of the fingerprint authentication process.
Bypass SSL Pinning: This allows an attacker to intercept and modify the traffic between the client and the server, potentially altering the authentication process or stealing sensitive data.

Example command for Frida:

bash

frida -U -l script-to-bypass-authentication.js --no-pause -f com.generic.in

Method 4 – Reverse Engineering & Code Modification

Reverse engineering tools like APKTool, dex2jar, and JD-GUI can be used to decompile an Android application, read its source code, and understand its authentication mechanism. The steps generally include:

Decompiling the APK: Convert the APK file to a more human-readable format (like Java code).
Analyzing the Code: Look for the implementation of fingerprint authentication and identify potential weaknesses (like fallback mechanisms or improper validation checks).
Recompiling the APK: After modifying the code to bypass fingerprint authentication, the application is recompiled, signed, and installed on the device for testing.

Method 5 – Using Custom Authentication Tools

There are specialized tools and scripts designed to test and bypass authentication mechanisms. For instance:

MAGISK Modules: MAGISK is a tool for Android that allows users to root their devices and add modules that can modify or spoof hardware-level information, including fingerprints.
Custom-built Scripts: Scripts can be written to interact with the Android Debug Bridge (ADB) or directly with the application's backend to simulate or bypass fingerprint authentication.

References

https://securitycafe.ro/2022/09/05/mobile-pentesting-101-bypassing-biometric-authentication/

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access to the latest version of the PEASS or download HackTricks in PDF? Check the SUBSCRIPTION PLANS!
Discover The PEASS Family, our collection of exclusive NFTs
Get the official PEASS & HackTricks swag
Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦@carlospolopm.
Share your hacking tricks by submitting PRs to the hacktricks repo and hacktricks-cloud repo.

External Recon Methodology

Pentesting Network

Pentesting Wifi

Phishing Methodology

Basic Forensic Methodology

Memory dump analysis

Partitions/File Systems/Carving

Pcap Inspection

Specific Software/File-Type Tricks

Windows Artifacts

Python Sandbox Escape & Pyscript

Bypass Python sandboxes

Shells (Linux, Windows, MSFVenom)

Linux Privilege Escalation

Docker Security

Docker Breakout / Privilege Escalation

Namespaces

Interesting Groups - Linux Privesc

Bypass Linux Restrictions

Bypass FS protections: read-only / no-exec / Distroless

Linux Post-Exploitation

macOS Security & Privilege Escalation

macOS Apps - Inspecting, debugging and Fuzzing

macOS Kernel & System Extensions

macOS Files, Folders, Binaries & Memory

macOS Process Abuse

macOS IPC - Inter Process Communication

macOS Library Injection

macOS Security Protections

macOS Sandbox

macOS TCC

macOS FS Tricks

macOS Red Teaming

macOS MDM

Windows Local Privilege Escalation

Dll Hijacking

Active Directory Methodology

Abusing Active Directory ACLs/ACEs

AD Certificates

Windows Security Controls

NTLM

Lateral Movement

Stealing Windows Credentials

Basic PowerShell for Pentesters

Android Applications Pentesting

Drozer Tutorial

Frida Tutorial

iOS Pentesting

Pentesting VoIP

Basic VoIP Protocols

21 - Pentesting FTP

25,465,587 - Pentesting SMTP/s

80,443 - Pentesting Web Methodology

Buckets

Drupal

Electron Desktop Apps

PHP Tricks

PHP - Useful Functions & disable_functions/open_basedir bypass

Tomcat

88tcp/udp - Pentesting Kerberos

139,445 - Pentesting SMB

161,162,10161,10162/udp - Pentesting SNMP

1433 - Pentesting MSSQL - Microsoft SQL Server

11211 - Pentesting Memcache

Reflecting Techniques - PoCs and Polygloths CheatSheet

Browser Extension Pentesting Methodology

Cache Poisoning and Cache Deception

Content Security Policy (CSP) Bypass

Cookies Hacking

Dangling Markup - HTML scriptless injection

Deserialization

NodeJS - __proto__ & prototype Pollution

File Inclusion/Path traversal

File Upload

HTTP Request Smuggling / HTTP Desync Attack

Login Bypass

PostMessage Vulnerabilities

SAML Attacks

SQL Injection

MySQL injection

NodeJS - proto & prototype Pollution

Bypass Biometric Authentication (Android)

Method 1 – Bypassing with No Crypto Object Usage

Method 2 – Exception Handling Approach

Method 3 – Instrumentation Frameworks

Method 4 – Reverse Engineering & Code Modification

Method 5 – Using Custom Authentication Tools

References