Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Patch for android 11 - fingerprint-bypass-via-exception-handling.js #14

Open
krapgras opened this issue Dec 8, 2021 · 12 comments
Open

Patch for android 11 - fingerprint-bypass-via-exception-handling.js #14

krapgras opened this issue Dec 8, 2021 · 12 comments

Comments

@krapgras
Copy link

krapgras commented Dec 8, 2021

Hello All,

I noticed that android 11 uses a different constructor for the BiometricPrompt$AuthenticationResult() function as you can find here: https://developer.android.com/reference/android/hardware/biometrics/BiometricPrompt.AuthenticationResult

Because of this the script will throw an error as it is expecting 2 arguments but gets 3.

Error: BiometricPrompt$AuthenticationResult(): argument types do not match any of:
	.overload('android.hardware.biometrics.BiometricPrompt$CryptoObject', 'int')
    at X (frida/node_modules/frida-java-bridge/lib/class-factory.js:563)
    at value (frida/node_modules/frida-java-bridge/lib/class-factory.js:966)
    at e (frida/node_modules/frida-java-bridge/lib/class-factory.js:547)
    at <anonymous> (/fingerprint-bypass-via-exception-handling.js:65)
    at apply (native)
    at ne (frida/node_modules/frida-java-bridge/lib/class-factory.js:613)
    at <anonymous> (frida/node_modules/frida-java-bridge/lib/class-factory.js:592)

Changing authenticationResultObj.$new(cryptoInst,null,0); to authenticationResultObj.$new(cryptoInst,0);
And authenticationResultObj.$new(crypto,null,0); to authenticationResultObj.$new(crypto,0); respectively should fix the issue.

Made a quick fix and posted it on frida codeshare here:

https://codeshare.frida.re/@krapgras/android-biometric-bypass-update-android-11/
@WarrDaddy
Copy link

Nice work! I've just verified that it fix work on my end.

@WarrDaddy
Copy link

@krapgras

Can you check out this error as well?

Error: FingerprintManager$AuthenticationResult(): argument types do not match any of:
	.overload('android.hardware.fingerprint.FingerprintManager$CryptoObject', 'android.hardware.fingerprint.Fingerprint', 'int', 'boolean')
    at X (frida/node_modules/frida-java-bridge/lib/class-factory.js:563)
    at value (frida/node_modules/frida-java-bridge/lib/class-factory.js:966)
    at e (frida/node_modules/frida-java-bridge/lib/class-factory.js:547)
    at <anonymous> (/repl.js:184)
    at apply (native)
    at ne (frida/node_modules/frida-java-bridge/lib/class-factory.js:613)
    at <anonymous> (frida/node_modules/frida-java-bridge/lib/class-factory.js:592)

@krapgras
Copy link
Author

What android version are you running? Seems to be similar error with the constructor.

I made a similar patch for android 10 but that one was already referenced in the comments of the script itself.
I'm not sure why it has this many versions of the constructor but it seems they like changing it a lot.

https://codeshare.frida.re/@krapgras/android-biometric-bypass-update-android-10-pixel-3xl-emulator/

@WarrDaddy
Copy link

I'm running Android 11. Your original patch worked on one of the apps I'm reviewing but, now I'm testing it out on another app and received that error.

@krapgras
Copy link
Author

Ok in that case i'm not sure. And it's hard to make a fix just based on the error without anything to test.
Additionally this script won't work on every implementation of biometrics which is explained in the blog post regarding this script.

https://labs.f-secure.com/blog/how-secure-is-your-android-keystore-authentication/

Is it a public app?

@CDuPlooy
Copy link
Contributor

Hi! I've run into this on a few different applications. I think a better approach would be to enumerate the overloads at runtime and pass in default values depending on the types. Does anyone have any thoughts on this? :)

@krapgras
Copy link
Author

I mean i'm sure there is an option to do that, but i must admit my Frida skills when it comes to actually making functions and such is fairly limited. But yes this might need a proper fix as it will change over different android version..

@ax
Copy link

ax commented Dec 22, 2022
edited
Loading

Hiya guys,
check out https://github.com/ax/android-fingerprint-bypass.
The code tries to resolve BiometricPrompt$AuthenticationResult constructor args at runtime.
It should work with any Android version.

@CDuPlooy
Copy link
Contributor

CDuPlooy commented Jan 7, 2023

Lovely! Thank you so much

This would be nice to integrate to not only this repository, but also objection. @ax , would you like to open a PR or can I open one and attribute you?

@ax
Copy link

ax commented Jan 10, 2023
edited
Loading

Hi @CDuPlooy, if you are willing to implement the Android biometric bypass for Objection, go for it, just cite the repo.

Note that now my code updates just the first script of Mateusz (WithSecure post), their second script will attempt to call onAuthenticationSucceded and catch javax.crypto.IllegalBlockSizeException exceptions in Cipher class. Which could be a better approach for a tool like Objection. But it won't be difficult to patch their second script in the same way I did for the first one.

@krapgras
Copy link
Author

Been doing some tests and your patch works nicely. Even better then the one that was edited for my specific android version :)

@ax
Copy link

ax commented Mar 15, 2023

Been doing some tests and your patch works nicely. Even better then the one that was edited for my specific android version :)

Put a little ⭐ on it! :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@ax @krapgras @CDuPlooy @WarrDaddy