android-keystore-audit icon indicating copy to clipboard operation
android-keystore-audit copied to clipboard

Published 20 hours ago verified publisher icon WithSecureLabs

Patch for android 11 - fingerprint-bypass-via-exception-handling.js

Open krapgras opened this issue 3 years ago • 12 comments

Hello All,

I noticed that android 11 uses a different constructor for the BiometricPrompt$AuthenticationResult() function as you can find here: https://developer.android.com/reference/android/hardware/biometrics/BiometricPrompt.AuthenticationResult

Because of this the script will throw an error as it is expecting 2 arguments but gets 3.

Error: BiometricPrompt$AuthenticationResult(): argument types do not match any of:
	.overload('android.hardware.biometrics.BiometricPrompt$CryptoObject', 'int')
    at X (frida/node_modules/frida-java-bridge/lib/class-factory.js:563)
    at value (frida/node_modules/frida-java-bridge/lib/class-factory.js:966)
    at e (frida/node_modules/frida-java-bridge/lib/class-factory.js:547)
    at <anonymous> (/fingerprint-bypass-via-exception-handling.js:65)
    at apply (native)
    at ne (frida/node_modules/frida-java-bridge/lib/class-factory.js:613)
    at <anonymous> (frida/node_modules/frida-java-bridge/lib/class-factory.js:592)

Changing authenticationResultObj.$new(cryptoInst,null,0); to authenticationResultObj.$new(cryptoInst,0); And authenticationResultObj.$new(crypto,null,0); to authenticationResultObj.$new(crypto,0); respectively should fix the issue.

Made a quick fix and posted it on frida codeshare here:

https://codeshare.frida.re/@krapgras/android-biometric-bypass-update-android-11/

krapgras avatar Dec 08 '21 16:12 krapgras

Nice work! I've just verified that it fix work on my end.

WarrDaddy avatar Dec 14 '21 08:12 WarrDaddy

@krapgras

Can you check out this error as well?

Error: FingerprintManager$AuthenticationResult(): argument types do not match any of:
	.overload('android.hardware.fingerprint.FingerprintManager$CryptoObject', 'android.hardware.fingerprint.Fingerprint', 'int', 'boolean')
    at X (frida/node_modules/frida-java-bridge/lib/class-factory.js:563)
    at value (frida/node_modules/frida-java-bridge/lib/class-factory.js:966)
    at e (frida/node_modules/frida-java-bridge/lib/class-factory.js:547)
    at <anonymous> (/repl.js:184)
    at apply (native)
    at ne (frida/node_modules/frida-java-bridge/lib/class-factory.js:613)
    at <anonymous> (frida/node_modules/frida-java-bridge/lib/class-factory.js:592)

WarrDaddy avatar Dec 22 '21 21:12 WarrDaddy

What android version are you running? Seems to be similar error with the constructor.

I made a similar patch for android 10 but that one was already referenced in the comments of the script itself. I'm not sure why it has this many versions of the constructor but it seems they like changing it a lot.

https://codeshare.frida.re/@krapgras/android-biometric-bypass-update-android-10-pixel-3xl-emulator/

krapgras avatar Dec 22 '21 21:12 krapgras

I'm running Android 11. Your original patch worked on one of the apps I'm reviewing but, now I'm testing it out on another app and received that error.

WarrDaddy avatar Dec 22 '21 22:12 WarrDaddy

Ok in that case i'm not sure. And it's hard to make a fix just based on the error without anything to test. Additionally this script won't work on every implementation of biometrics which is explained in the blog post regarding this script.

https://labs.f-secure.com/blog/how-secure-is-your-android-keystore-authentication/

Is it a public app?

krapgras avatar Dec 22 '21 23:12 krapgras

Hi! I've run into this on a few different applications. I think a better approach would be to enumerate the overloads at runtime and pass in default values depending on the types. Does anyone have any thoughts on this? :)

CDuPlooy avatar Feb 10 '22 17:02 CDuPlooy

I mean i'm sure there is an option to do that, but i must admit my Frida skills when it comes to actually making functions and such is fairly limited. But yes this might need a proper fix as it will change over different android version..

krapgras avatar Feb 10 '22 18:02 krapgras

Hiya guys, check out https://github.com/ax/android-fingerprint-bypass. The code tries to resolve BiometricPrompt$AuthenticationResult constructor args at runtime. It should work with any Android version.

ax avatar Dec 22 '22 09:12 ax

Lovely! Thank you so much

This would be nice to integrate to not only this repository, but also objection. @ax , would you like to open a PR or can I open one and attribute you?

CDuPlooy avatar Jan 07 '23 14:01 CDuPlooy

Hi @CDuPlooy, if you are willing to implement the Android biometric bypass for Objection, go for it, just cite the repo.

Note that now my code updates just the first script of Mateusz (WithSecure post), their second script will attempt to call onAuthenticationSucceded and catch javax.crypto.IllegalBlockSizeException exceptions in Cipher class. Which could be a better approach for a tool like Objection. But it won't be difficult to patch their second script in the same way I did for the first one.

ax avatar Jan 10 '23 00:01 ax

Been doing some tests and your patch works nicely. Even better then the one that was edited for my specific android version :)

krapgras avatar Mar 15 '23 14:03 krapgras

Been doing some tests and your patch works nicely. Even better then the one that was edited for my specific android version :)

Put a little ⭐ on it! :)

ax avatar Mar 15 '23 16:03 ax