Fingerprint unlock can be bypassed

[ghost]

Is there an existing issue for this?

• [X] I have searched the existing issues

Bug description

The screen lock option can be bypassed on Samsung device if it gets 5 wrong fingerprint matches. If I try to unlock the app with a different finger 5 times, after getting a timeout I reopen the app, I get access to all the messages and the screen lock settings is turned off.

Steps to reproduce

1. Turn on screen lock by verifying fingerprint
2. Get a challenge by locking the screen etc.
3. Make 5 wrong entries
4. After being denied either tap Cancel, or wait for the app to close itself and throw me back to the homepage
5. Open the app again
6. All the messages are accessible and the screen security setting is turned off

Molly version

v5.37.4-1-FOSS

Android version

Android 12 (OneUI 4.1)

Device

Galaxy A52s 5G

Link to debug log

No response

[valldrac]

Thank you for the report.

Could you provide the debug log please? In the Settings > Help menu, you have the option to share the debug log. The log is redacted from personal information so the link can be posted here. Alternatively you can send it to support@molly.im

[clauz9]

@Etim-Orb I can't reproduce this, on my device it seems the issue might be device dependent, do you mind adding a debug log, since you have an affected device ?

[ghost]

I have sent an email to the address provided.

[valldrac]

This bug is caused by a logic error in the the biometric support library (Google) or in the biometric vendor implementation (Samsung). In short, if the device has 2 authenticators and the user has enrolled only in one of them (face or fingerprint), when the enrolled one is temporary unavailable (e.g. after 5 failed attemps), the system tells the app that none of them is enrolled. By design, Molly disables the lock if the user unenroll from biometrics.

As a workaround, I have disabled "weak" authenticators in Molly to opt-out from Samsung's face recognition. This fix is available in 5.39.3-1.