Hacktricks-skills android-biometric-bypass
Android biometric authentication pentesting and bypass techniques. Use this skill whenever testing Android app security, analyzing biometric authentication implementations, or performing mobile security assessments. Trigger for fingerprint authentication testing, biometric prompt analysis, Android Keystore security reviews, or any mobile app security work involving authentication mechanisms. Don't skip this skill for Android security testing even if the user doesn't explicitly mention 'biometric' or 'fingerprint' - authentication security is always in scope.
git clone https://github.com/abelrguezr/hacktricks-skills
skills/mobile-pentesting/android-app-pentesting/bypass-biometric-authentication-android/SKILL.MDAndroid Biometric Authentication Pentesting
A comprehensive skill for testing and bypassing Android biometric authentication mechanisms during security assessments.
When to Use This Skill
Use this skill when:
- Testing Android app security and authentication flows
- Analyzing biometric prompt implementations (FingerprintManager, BiometricPrompt)
- Performing mobile penetration testing on authentication mechanisms
- Reviewing Android Keystore usage and crypto object handling
- Assessing in-app biometric authentication security
- Investigating authentication bypass vulnerabilities
Quick Start
# Basic Frida hook for biometric bypass frida -U -f <target-package> --no-pause -l scripts/biometric-bypass.js
Method 1: NULL CryptoObject Bypass
Targets apps that don't validate the
CryptoObjectonAuthenticationSucceeded()How It Works
The
onAuthenticationSucceededAuthenticationResultCryptoObjectExecution
frida -U -f <target-package> --no-pause -l scripts/biometric-bypass-null-crypto.js
Then in the Frida console:
> bypass()
What to Check
- Does the app verify
is not null?result.cryptoObject - Does the app validate the cipher/signature before granting access?
- Are sensitive operations protected by the crypto object?
Method 2: Exception Handling Bypass
For apps that use different cipher objects after authentication.
How It Works
Invokes
onAuthenticationSucceededCryptoObjectIllegalBlockSizeExceptionExecution
frida -U -f <target-package> --no-pause -l scripts/biometric-bypass-exception.js
In Frida console:
> bypass()
Method 3: Universal Biometric Bypass (API 28-34)
Community script that hooks all
BiometricPrompt.authenticate()FingerprintManager.authenticate()Features
- Works on Android 8.0 (API 28) through Android 14 (API 34)
- Hooks both modern and legacy biometric APIs
- Triggers
with fabricatedonAuthenticationSucceededAuthenticationResult - Silent to UI - no biometric dialog appears
- No root required (user-space only)
Execution
frida -U -f <target-package> --no-pause -l scripts/universal-biometric-bypass.js
Limitations
Only works if the target app performs no cryptographic checks on the returned
CryptoObjectMethod 4: Downgrade/Fallback Manipulation
Forces weaker authentication requirements at runtime.
How It Works
Hooks
setAllowedAuthenticators()var PromptInfoBuilder = Java.use('androidx.biometric.BiometricPrompt$PromptInfo$Builder'); PromptInfoBuilder.setAllowedAuthenticators.implementation = function(flags){ console.log('[*] Original flags: 0x' + flags.toString(16)); return this.setAllowedAuthenticators(0x0002 | 0x8000); // BIOMETRIC_WEAK | DEVICE_CREDENTIAL };
Execution
frida -U -f <target-package> --no-pause -l scripts/biometric-downgrade.js
What to Test
- Can the app be tricked into accepting PIN/Pattern fallback?
- Does the app validate the authenticator type after authentication?
- Are weak biometrics (face unlock) accepted when strong (fingerprint) was required?
Method 5: Instrumentation Frameworks
Beyond Frida, consider:
- Xposed/LSPosed: System-wide hooking framework
- Magisk Modules: Root-level modifications
- Custom ADB Scripts: Backend interaction simulation
Method 6: Reverse Engineering Approach
For static analysis and code modification:
- Decompile:
apktool d app.apk - Analyze: Look for
,BiometricPrompt
,FingerprintManager
usageKeyStore - Identify Weaknesses: Missing crypto object validation, fallback mechanisms
- Modify: Remove authentication checks, recompile, sign, test
Method 7: Vendor/Kernel CVEs
Monitor Android security bulletins for:
- CVE-2023-20995: Pixel 8, Android 13 - captureImage logic error
- CVE-2024-53835/53840: December 2024 Pixel bulletin - biometric bypass
These can chain with app-level flaws for complete bypass.
Hardening Checklist (For Developers)
When reviewing or recommending fixes:
- Enforce
on Keystore keyssetUserAuthenticationRequired(true) - Set
for key generationsetInvalidatedByBiometricEnrollment(true) - Always verify
is not nullresult.cryptoObject - Validate cipher/signature before unlocking sensitive features
- Use
only - never fall back toBIOMETRIC_STRONGBIOMETRIC_WEAK - Pin
to latest version (≥1.2.0-beta02)androidx.biometric - Implement server-side authentication for critical operations
Common Vulnerability Patterns
| Pattern | Risk | Detection |
|---|---|---|
| NULL CryptoObject accepted | High | Check |
| No cipher validation | High | Look for missing |
| Weak authenticator fallback | Medium | Check |
| Legacy FingerprintManager | Medium | Search for deprecated API usage |
| No key invalidation on enrollment | Medium | Check |
Reporting Findings
When documenting biometric bypass vulnerabilities:
- Include the Frida script used for the bypass
- Show the authentication flow before and after bypass
- Demonstrate access to protected functionality
- Provide remediation using the hardening checklist
- Rate severity based on data sensitivity and bypass difficulty