Skip to content

Research Update Enhanced src/mobile-pentesting/android-app-p... #1190

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Jul 28, 2025
+51 βˆ’4
Merged

Research Update Enhanced src/mobile-pentesting/android-app-p... #1190

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
55 changes: 51 additions & 4 deletions ...le-pentesting/android-app-pentesting/bypass-biometric-authentication-android.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ Command to run the Frida script:
frida -U -f com.generic.insecurebankingfingerprint --no-pause -l fingerprint-bypass-via-exception-handling.js
```

Upon reaching the fingerprint screen and the initiation of `authenticate()`, type `bypass()`` in the Frida console to activate the bypass:
Upon reaching the fingerprint screen and the initiation of `authenticate()`, type `bypass()` in the Frida console to activate the bypass:

```
Spawning com.generic.insecurebankingfingerprint...
Expand Down Expand Up @@ -70,12 +70,59 @@ There are specialized tools and scripts designed to test and bypass authenticati
1. **MAGISK Modules**: MAGISK is a tool for Android that allows users to root their devices and add modules that can modify or spoof hardware-level information, including fingerprints.
2. **Custom-built Scripts**: Scripts can be written to interact with the Android Debug Bridge (ADB) or directly with the application's backend to simulate or bypass fingerprint authentication.

## References
---

- [https://securitycafe.ro/2022/09/05/mobile-pentesting-101-bypassing-biometric-authentication/](https://securitycafe.ro/2022/09/05/mobile-pentesting-101-bypassing-biometric-authentication/)
## **Method 6 – Universal Frida Hook for `BiometricPrompt` (API 28-34)**

In 2023 a community Frida script branded **Universal-Android-Biometric-Bypass** appeared on CodeShare. The script hooks every overload of `BiometricPrompt.authenticate()` as well as legacy `FingerprintManager.authenticate()` and directly triggers `onAuthenticationSucceeded()` with a **fabricated `AuthenticationResult` containing a null `CryptoObject`**. Because it adapts dynamically to API levels, it still works on Android 14 (API 34) if the target app performs **no cryptographic checks on the returned `CryptoObject`**.

{{#include ../../banners/hacktricks-training.md}}
```bash
# Install the script from CodeShare and run it against the target package
frida -U -f com.target.app --no-pause -l universal-android-biometric-bypass.js
```

Key ideas
* Everything happens in user space – no kernel exploit or root is required.
* The attack remains fully silent to the UI: the system biometric dialog never appears.
* Mitigation: **always verify `result.cryptoObject` and its cipher/signature before unlocking sensitive features**.

## **Method 7 – Downgrade / Fallback Manipulation**

Starting with Android 11, developers can specify which authenticators are acceptable via `setAllowedAuthenticators()` (or the older `setDeviceCredentialAllowed()`). A **runtime hooking** attack can force the `allowedAuthenticators` bit-field to the weaker
`BIOMETRIC_WEAK | DEVICE_CREDENTIAL` value:

```javascript
// Frida one-liner – replace strong-only policy with weak/device-credential
var PromptInfoBuilder = Java.use('androidx.biometric.BiometricPrompt$PromptInfo$Builder');
PromptInfoBuilder.setAllowedAuthenticators.implementation = function(flags){
return this.setAllowedAuthenticators(0x0002 | 0x8000); // BIOMETRIC_WEAK | DEVICE_CREDENTIAL
};
```

If the app does **not** subsequently validate the returned `AuthenticationResult`, an attacker can simply press the _PIN/Pattern_ fallback button or even register a new weak biometric to gain access.

## **Method 8 – Vendor / Kernel-level CVEs**

Keep an eye on Android security bulletins: several recent kernel-side bugs allow local privilege escalation through the fingerprint HAL and effectively **disable or short-circuit the sensor pipeline**. Examples include:

* **CVE-2023-20995** – logic error in `captureImage` of `CustomizedSensor.cpp` (Pixel 8, Android 13) allowing unlock bypass without user interaction.
* **CVE-2024-53835 / CVE-2024-53840** – β€œpossible biometric bypass due to an unusual root cause” patched in the **December 2024 Pixel bulletin**.

Although these vulnerabilities target the lock-screen, a rooted tester may chain them with app-level flaws to bypass in-app biometrics as well.

---

### Hardening Checklist for Developers (Quick Pentester Notes)

* Enforce `setUserAuthenticationRequired(true)` and `setInvalidatedByBiometricEnrollment(true)` when generating **Keystore** keys. A valid biometric is then required before the key can be used.
* Reject a `CryptoObject` with **null or unexpected cipher / signature**; treat this as a fatal authentication error.
* When using `BiometricPrompt`, prefer `BIOMETRIC_STRONG` and **never fall back to `BIOMETRIC_WEAK` or `DEVICE_CREDENTIAL`** for high-risk actions.
* Pin the latest `androidx.biometric` version (β‰₯1.2.0-beta02) – recent releases add automatic null-cipher checks and tighten allowed authenticator combinations.

## References

- [Universal Android Biometric Bypass – Frida CodeShare](https://codeshare.frida.re/@ax/universal-android-biometric-bypass/)
- [Android Pixel Security Bulletin 2024-12-01](https://source.android.com/security/bulletin/pixel/2024-12-01)


{{#include ../../banners/hacktricks-training.md}}