Bypass Biometric Authentication (Android)

Reading time: 4 minutes

Method 1 – Bypassing with No Crypto Object Usage

Mwelekeo hapa ni kwenye onAuthenticationSucceeded callback, ambayo ni muhimu katika mchakato wa uthibitishaji. Watafiti katika WithSecure walitengeneza Frida script, inayowezesha kupita CryptoObject ya NULL katika onAuthenticationSucceeded(...). Script inasababisha kupita kiotomatiki kwa uthibitishaji wa alama za vidole wakati wa wito wa njia hiyo. Hapa chini kuna kipande kilichorahisishwa kinachoonyesha kupita katika muktadha wa Alama za Vidole za Android, huku programu kamili ikipatikana kwenye GitHub.

biometricPrompt = new BiometricPrompt(this, executor, new BiometricPrompt.AuthenticationCallback() {
@Override
public void onAuthenticationSucceeded(@NonNull BiometricPrompt.AuthenticationResult result) {
Toast.makeText(MainActivity.this,"Success",Toast.LENGTH_LONG).show();
}
});

Amri ya kuendesha skripti ya Frida:

frida -U -f com.generic.insecurebankingfingerprint --no-pause -l fingerprint-bypass.js

Method 2 – Njia ya Kushughulikia Makosa

Another Frida script by WithSecure addresses bypassing insecure crypto object usage. The script invokes onAuthenticationSucceeded with a CryptoObject that hasn't been authorized by a fingerprint. If the application tries to use a different cipher object, it will trigger an exception. The script prepares to invoke onAuthenticationSucceeded and handle the javax.crypto.IllegalBlockSizeException in the Cipher class, ensuring subsequent objects used by the application are encrypted with the new key.

Command to run the Frida script:

frida -U -f com.generic.insecurebankingfingerprint --no-pause -l fingerprint-bypass-via-exception-handling.js

Wakati unafika kwenye skrini ya alama za vidole na kuanzishwa kwa authenticate(), andika bypass() kwenye console ya Frida ili kuanzisha bypass:

Spawning com.generic.insecurebankingfingerprint...
[Android Emulator 5554::com.generic.insecurebankingfingerprint]-> Hooking BiometricPrompt.authenticate()...
Hooking BiometricPrompt.authenticate2()...
Hooking FingerprintManager.authenticate()...
[Android Emulator 5554::com.generic.insecurebankingfingerprint]-> bypass()

Method 3 – Instrumentation Frameworks

Frameworks za uhandisi kama Xposed au Frida zinaweza kutumika kuingilia njia za programu wakati wa wakati. Kwa uthibitisho wa alama za vidole, frameworks hizi zinaweza:

1. Kufanya Kazi za Uthibitishaji: Kwa kuingilia katika onAuthenticationSucceeded, onAuthenticationFailed, au onAuthenticationError njia za BiometricPrompt.AuthenticationCallback, unaweza kudhibiti matokeo ya mchakato wa uthibitisho wa alama za vidole.
2. Kupita SSL Pinning: Hii inaruhusu mshambuliaji kukamata na kubadilisha trafiki kati ya mteja na seva, ikibadilisha mchakato wa uthibitisho au kuiba data nyeti.

Mfano wa amri kwa Frida:

frida -U -l script-to-bypass-authentication.js --no-pause -f com.generic.in

Mbinu ya 4 – Uhandisi wa Kurudi na Marekebisho ya Kanuni

Zana za uhandisi wa kurudi kama APKTool, dex2jar, na JD-GUI zinaweza kutumika kubadilisha programu ya Android, kusoma kanuni yake ya chanzo, na kuelewa mfumo wake wa uthibitishaji. Hatua kwa ujumla zinajumuisha:

1. Kuhariri APK: Badilisha faili ya APK kuwa muundo unaoweza kusomwa na binadamu zaidi (kama kanuni ya Java).
2. Kuchambua Kanuni: Tafuta utekelezaji wa uthibitishaji wa alama za vidole na tambua udhaifu wa uwezekano (kama mifumo ya kurudi nyuma au ukaguzi usio sahihi).
3. Kurekebisha APK: Baada ya kubadilisha kanuni ili kupita uthibitishaji wa alama za vidole, programu inarekebishwa, kusainiwa, na kufungwa kwenye kifaa kwa ajili ya majaribio.

Mbinu ya 5 – Kutumia Zana za Uthibitishaji za Kijadi

Kuna zana maalum na skripti zilizoundwa ili kujaribu na kupita mifumo ya uthibitishaji. Kwa mfano:

1. Moduli za MAGISK: MAGISK ni zana kwa Android inayowaruhusu watumiaji ku-root vifaa vyao na kuongeza moduli ambazo zinaweza kubadilisha au kudanganya taarifa za kiwango cha vifaa, ikiwa ni pamoja na alama za vidole.
2. Skripti zilizojengwa kwa Kijadi: Skripti zinaweza kuandikwa ili kuingiliana na Daraja la Debug la Android (ADB) au moja kwa moja na nyuma ya programu ili kuiga au kupita uthibitishaji wa alama za vidole.

Marejeo

• https://securitycafe.ro/2022/09/05/mobile-pentesting-101-bypassing-biometric-authentication/