We very often come across applications security assessments of mobile applications performed for our customers that implement biometric authentication. But it is often possible to bypass the authentication, as it is implemented in an insecure manner - and if some prerequisites are fulfilled. Therefore, it is important to stress in the beginning of this article that to be able to perform a bypass, an attacker needs root permissions on the device of the victim or is able to talk the victim into installing a modified version of an app with improper biometric authentication, and has physical access to the device in order to execute those attacks.
Previous research has shown that bypasses are possible, when biometric authentication is not implemented securely. This issue even affects apps that aim at offering a high data protection. In this blogpost we will shed some light on biometric authentication in Android written by our mobile security expert Leonard Eschenbaum and how it can be bypassed. This topic is also directly reflected in the OWASP Mobile Security Testing Guide (MASTG) in MSTG-AUTH-8 and as such is a mandatory issue to check for in mobile application security assessments.