保護DataHogo
Security Encyclopedia/Mobile Security (Advanced)
mediumCWE-308A07:2021

Biometric Bypass

Biometric authentication that only runs client-side can be bypassed by patching the app binary — the server must validate the session independently.

How It Works

If biometric auth just toggles a boolean in your app and the server trusts any request with a stored token, an attacker can hook the biometric function with Frida or similar tools to always return 'success'. The server never verifies that biometric auth actually occurred.

Vulnerable Code
// BAD: biometric result trusted client-side only
const result = await LocalAuthentication.authenticateAsync();
if (result.success) {
  setIsAuthenticated(true); // attacker hooks this to always be true
  navigateToDashboard();
}
Secure Code
// GOOD: biometric success exchanges for a fresh server-side session token
const result = await LocalAuthentication.authenticateAsync();
if (result.success) {
  // get a fresh session token — server verifies the biometric challenge
  const session = await api.post('/auth/biometric', { challengeResponse });
  storeSecureToken(session.token);
}

Real-World Example

Researchers at WithSecure demonstrated biometric bypass on multiple banking apps by using Frida to hook the biometric callback and return success without any fingerprint. Apps that only checked the client-side result were fully compromised.

How to Prevent It

  • Use a server-side challenge-response for biometric auth — biometric success should exchange for a fresh session token
  • Store authentication tokens in the Secure Enclave (iOS) or Android Keystore, bound to biometric verification
  • Never make authorization decisions based purely on client-side biometric results
  • Use the BiometricPrompt API's CryptoObject to tie cryptographic operations to successful biometric auth

Affected Technologies

React Nativeiosandroid

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

Deep Link Hijacking

medium

Custom URL schemes without host verification let malicious apps intercept your app's deep links and steal OAuth tokens or sensitive parameters.

CWE-926A01:2021

Clipboard Exposure

low

Sensitive data copied to the clipboard (passwords, tokens, card numbers) persists there indefinitely and can be read by any app.

CWE-312A02:2021

Screenshot Not Prevented

low

Banking and payment screens without screenshot protection allow sensitive data to be captured by malware or appear in Android's recent apps screen.

CWE-200A02:2021

Certificate Pinning Missing

high

Without certificate pinning, attackers on the same network can intercept your app's HTTPS traffic with a rogue certificate authority.

CWE-295A05:2021