iOS vulnerable to biometric bypass via "objection"
ssuppan opened this issue · comments
My company did some pen testing on our Xamarin native app which is using plugin.fingerprint.
They were able to bypass biometric authentication via "objection v1.11.0".
This script/program allows a local user to hook into EvaluatePolicy() and EvaluateAccessControl().
When a bad fingerprint is scanned, you can return "true" instead of "false" and gain access to the app.
Supporting documentation can be found here.
Steps to reproduce
- objection -g explore
Expected behavior
The objection script/program should not be able to bypass the bad fingerprint read
Actual behavior
The objection script/program permits the pen tester to bypass fingerprint authentication
Crashlog
If something causes an exception paste full stack trace + Exception here
Configuration
**Version of the Plugin ** 2.1.5
Platform: iOS 12.X and greater
Device: iPhone 12
Hi @ssuppan,
I'm the friendly issue checker.
Thanks for using the issue template 🌟
I appreciate it very much. I'm sure, the maintainers of this repository will answer, soon.
This is not only an issue for fingerprint read on iOS. I believe that Face ID is also vulnerable.
Yes this is an issue that we come to via the ethical hacking of our apps. I hope someone can help out