Android Implementation allow to bypass the security

[rodirigos]

Hi Everyone. This implementation of the Biometric is not 100% accurate. It allows users to bypass the security since it does not implement the android secret and cypher. I can find here the script: https://codeshare.frida.re/@Saket-taneja/biometricauthenticationbypassnullcryptoobject/

Steps to reproduce

1. Install Frida and use the script above when prompted the biometric dialog.

Expected behavior

The authentication should fail after the script. It should have some crypto object, at least for Android devices. It does not contain the cipher to ensure the CryptoObject is decrypted.

Actual behavior

It allows bypassing the fingerprint verification

Configuration

Version of the Plugin: 2.1.5

Platform: Android

Device: Any

[smsissuechecker]

Hi @rodirigos,

I'm the friendly issue checker. Thanks for using the issue template :star2: I appreciate it very much. I'm sure, the maintainers of this repository will answer, soon.

[DarkIrata]

Hi, could you or somebody check if this implementation prevents the bypass https://github.com/DarkIrata/xamarin-fingerprint/tree/android-cryptoobject I added the CryptoObject to the authentication and cipher validation. Currently i don't have any devices i could install frida on and problems with the Android Emulator.

If it fixes the problem, I will create a pull request.

[jvillaro]

Any update on this?

[DarkIrata]

Didnt heard anything back

[jvillaro]

@DarkIrata thanks for your response, I saw that you made a fix but it hasn't been merged right?

[jvillaro]

@DarkIrata thanks for your response, I saw that you made a fix but it hasn't been merged right?

[DarkIrata]

right, not merged yet. I just compiled it myself and use it like that for now