DARKNAVY
Modern smartphones commonly integrate biometric authentication to enhance user convenience, allowing quick and secure identity verification without requiring a lock screen password. However, the lack of standardized implementations across manufacturers has resulted in numerous security risks, particularly in authentication validity checks and credential lifecycle management.
This research investigated the biometric authentication implementations in over 30 Android phones from 9 independent manufacturers, focusing on the biometric authentication process within their Trusted Applications (TA). It revealed that numerous manufacturers exhibit poor management of AuthTokens in the biometric TA, enabling attackers to bypass authentication and steal the phone’s lock screen PIN. The feasibility of this attack was confirmed on 8 devices from 7 independent manufacturers, with the PIN code successfully retrieved in each case. Compromising the PIN is more detrimental than typical privilege escalation attacks on Android because it grants attackers the ability to unlock the device, bypass credential encryption (CE) to access and decrypt user data, and potentially transfer funds from the phone's wallet.
Balancing security and convenience remains an industry challenge, with additional authentication methods often leading to more attack vectors. This study highlights a critical, previously neglected attack surface, demonstrates its exploitability across a wide range of devices, and offers manufacturers suggestions to mitigate these risks.
Xuangan Xiao is a security researcher at DARKNAVY, with interests in mobile security and system security. Previously, he was a member of the CTF team 0ops and won DEFCON CTF in 2021 and 2022 with the united team A*0*E and Katzebin. He has discovered multiple vulnerabilities in mobile devices, IoT systems, and vehicles, and has published several papers at academic conferences such as IEEE S&P.
Zikai Xu is a postgraduate student in the Fluctlight Security Lab of Zhejiang University and a security researcher intern at DARKNAVY. He has many interests in mobile security. He is also a CTF Player in AAA and Katzebin.
POC Conference is made possible thanks to the support of our sponsors. Their continued partnership has played a vital role in sustaining and growing POC over the years. We sincerely thank them for their contribution.
Sponsorship Kit is not ready yet. Please check back later.
