MASTG-TEST-0018: Testing Biometric Authentication

This test will be updated soon

The test can be used in its current form, but it will receive a complete overhaul as part of the new OWASP MASTG v2 guidelines.

Help us out by submitting a PR for: MASTG v1->v2 MASTG-TEST-0018: Testing Biometric Authentication (android)

Send Feedback

Overview

Static Analysis

Note that there are quite some vendor/third party SDKs, which provide biometric support, but which have their own insecurities. Be very cautious when using third party SDKs to handle sensitive authentication logic.

Dynamic Analysis

Please take a look at this detailed blog article about the Android KeyStore and Biometric authentication. This research includes two Frida scripts which can be used to test insecure implementations of biometric authentication and try to bypass them:

• Fingerprint bypass: This Frida script will bypass authentication when the CryptoObject is not used in the authenticate method of the BiometricPrompt class. The authentication implementation relies on the callback onAuthenticationSucceded being called.
• Fingerprint bypass via exception handling: This Frida script will attempt to bypass authentication when the CryptoObject is used, but used in an incorrect way. The detailed explanation can be found in the section "Crypto Object Exception Handling" in the blog post.