search

WithSecureLabs / android-keystore-audit

Other
404 stars 104 forks source link

Patch for android 11 - fingerprint-bypass-via-exception-handling.js #14

Open krapgras opened 2 years ago

krapgras commented 2 years ago

Hello All,

I noticed that android 11 uses a different constructor for the BiometricPrompt$AuthenticationResult() function as you can find here: https://developer.android.com/reference/android/hardware/biometrics/BiometricPrompt.AuthenticationResult

Because of this the script will throw an error as it is expecting 2 arguments but gets 3.

Error: BiometricPrompt$AuthenticationResult(): argument types do not match any of:
    .overload('android.hardware.biometrics.BiometricPrompt$CryptoObject', 'int')
    at X (frida/node_modules/frida-java-bridge/lib/class-factory.js:563)
    at value (frida/node_modules/frida-java-bridge/lib/class-factory.js:966)
    at e (frida/node_modules/frida-java-bridge/lib/class-factory.js:547)
    at <anonymous> (/fingerprint-bypass-via-exception-handling.js:65)
    at apply (native)
    at ne (frida/node_modules/frida-java-bridge/lib/class-factory.js:613)
    at <anonymous> (frida/node_modules/frida-java-bridge/lib/class-factory.js:592)

Changing authenticationResultObj.$new(cryptoInst,null,0); to authenticationResultObj.$new(cryptoInst,0); And authenticationResultObj.$new(crypto,null,0); to authenticationResultObj.$new(crypto,0); respectively should fix the issue.

Made a quick fix and posted it on frida codeshare here:

https://codeshare.frida.re/@krapgras/android-biometric-bypass-update-android-11/

WarrDaddy commented 2 years ago

Nice work! I've just verified that it fix work on my end.

WarrDaddy commented 2 years ago

@krapgras

Can you check out this error as well? 

Error: FingerprintManager$AuthenticationResult(): argument types do not match any of:
    .overload('android.hardware.fingerprint.FingerprintManager$CryptoObject', 'android.hardware.fingerprint.Fingerprint', 'int', 'boolean')
    at X (frida/node_modules/frida-java-bridge/lib/class-factory.js:563)
    at value (frida/node_modules/frida-java-bridge/lib/class-factory.js:966)
    at e (frida/node_modules/frida-java-bridge/lib/class-factory.js:547)
    at <anonymous> (/repl.js:184)
    at apply (native)
    at ne (frida/node_modules/frida-java-bridge/lib/class-factory.js:613)
    at <anonymous> (frida/node_modules/frida-java-bridge/lib/class-factory.js:592)
krapgras commented 2 years ago

What android version are you running? Seems to be similar error with the constructor.

I made a similar patch for android 10 but that one was already referenced in the comments of the script itself. I'm not sure why it has this many versions of the constructor but it seems they like changing it a lot.

https://codeshare.frida.re/@krapgras/android-biometric-bypass-update-android-10-pixel-3xl-emulator/

WarrDaddy commented 2 years ago

I'm running Android 11. Your original patch worked on one of the apps I'm reviewing but, now I'm testing it out on another app and received that error.

krapgras commented 2 years ago

Ok in that case i'm not sure. And it's hard to make a fix just based on the error without anything to test. Additionally this script won't work on every implementation of biometrics which is explained in the blog post regarding this script.

https://labs.f-secure.com/blog/how-secure-is-your-android-keystore-authentication/

Is it a public app?

CDuPlooy commented 2 years ago

Hi! I've run into this on a few different applications. I think a better approach would be to enumerate the overloads at runtime and pass in default values depending on the types. Does anyone have any thoughts on this? :)

krapgras commented 2 years ago

I mean i'm sure there is an option to do that, but i must admit my Frida skills when it comes to actually making functions and such is fairly limited. But yes this might need a proper fix as it will change over different android version..

ax commented 1 year ago

Hiya guys, check out https://github.com/ax/android-fingerprint-bypass. The code tries to resolve BiometricPrompt$AuthenticationResult constructor args at runtime. It should work with any Android version.

CDuPlooy commented 1 year ago

Lovely! Thank you so much

This would be nice to integrate to not only this repository, but also objection. @ax , would you like to open a PR or can I open one and attribute you?

ax commented 1 year ago

Hi @CDuPlooy, if you are willing to implement the Android biometric bypass for Objection, go for it, just cite the repo.

Note that now my code updates just the first script of Mateusz (WithSecure post), their second script will attempt to call onAuthenticationSucceded and catch javax.crypto.IllegalBlockSizeException exceptions in Cipher class. Which could be a better approach for a tool like Objection. But it won't be difficult to patch their second script in the same way I did for the first one.

krapgras commented 1 year ago

Been doing some tests and your patch works nicely. Even better then the one that was edited for my specific android version :)

ax commented 1 year ago

Been doing some tests and your patch works nicely. Even better then the one that was edited for my specific android version :)

Put a little ⭐ on it! :)