MASTG-TEST-0018: Testing Biometric Authentication

Deprecated Test

This test is deprecated and should not be used anymore. Reason: New version available in MASTG V2

Please check the following MASTG v2 tests that cover this v1 test:

• References to APIs Allowing Fallback to Non-Biometric Authentication
• References to APIs for Event-Bound Biometric Authentication
• References to APIs Detecting Biometric Enrollment Changes
• References to APIs Enforcing Authentication without Explicit User Action
• References to APIs for Keys used in Biometric Authentication with Extended Validity Duration

Overview

Static Analysis

Note that there are quite some vendor/third party SDKs, which provide biometric support, but which have their own insecurities. Be very cautious when using third party SDKs to handle sensitive authentication logic.

Dynamic Analysis

Please take a look at this detailed blog article about the Android KeyStore and Biometric authentication. This research includes two Frida scripts which can be used to test insecure implementations of biometric authentication and try to bypass them:

• Fingerprint bypass: This Frida script will bypass authentication when the CryptoObject is not used in the authenticate method of the BiometricPrompt class. The authentication implementation relies on the callback onAuthenticationSucceded being called.
• Fingerprint bypass via exception handling: This Frida script will attempt to bypass authentication when the CryptoObject is used, but used in an incorrect way. The detailed explanation can be found in the section "Crypto Object Exception Handling" in the blog post.