Incorrect Access Control in the Fingerprint Authentication Mechanism of "App Lock - Lock & Unlock Apps" App

Product introduction

App Lock is a powerful and secure free application to lock Gmail, Google, Chrome, YouTube, Facebook and more. 1). Intruder Feature: When this feature is enabled, if the protected app is still unlocked, the protected app is unlocked more than 3 times. App Lock will enable the front camera to take a picture and save it. Lets you know who is trying to access your protected apps. 2). Camouflage Function: There are two camouflage functions to camouflage the app icon and camouflage the unlock page to make the app lock more secure and the protected app more natural. 3). Turn on notification protection: Notifications will also provide you with protection. The notification bar will no longer show notifications from apps, the app lock will take care of it for you. The only way to see exactly what the notifications are about is to go into the app lock. Notification protection makes already turned on apps more secure.

Affected version

1.9.1

Vulnerability description

The following vulnerabilities exist in the implementation of the fingerprint authentication function of this app.

1. The cryptographic parameter in fingerprint authentication is not configured securely and correctly, resulting in fingerprint authentication that can be bypassed.
2. This app uses a deprecated version of the API (FingerprintManager) to implement the fingerprint authentication function, which makes the fingerprint function susceptible to UI attacks.
3. Failure to disable the fingerprint function when a new fingerprint is added to the device, allowing an attacker to pass fingerprint authentication by entering a new fingerprint, which can lead to unauthorized access.
4. Failure to verify the user’s identity when disabling the fingerprint feature, allowing the integrity of the fingerprint protection to be compromised, which can cause fingerprint protection to fail.

Vulnerability recurrence (For the first item in the vulnerability description)

1. Enable fingerprint unlock feature for the “App Lock - Lock & Unlock Apps” app.
2. Run frida-server on Android device.
3. Inject the “fingerprint-bypass.js” script using Frida, hook the fingerprint authentication function “authenticate”, and spoof the authentication result. (Partial core code as shown below)
4. Switch to the fingerprint unlock interface of “App Lock - Lock & Unlock Apps”, and find that you can unlock without fingerprint authentication.

Improvement suggestion

1. When using the fingerprint authentication API “authenticate”, safely set its cryptographic parameter to a pre-created key, and verify the validity of the key after users have verified their fingerprints, so as to ensure that the user is truly authenticated. (refer to ***https://developer.android.com/training/sign-in/biometric-auth*** )
2. It is recommended to use the latest version of the fingerprint API (BiometricPrompt) for stronger security and protection. However, this API suffers from the problem of incompatibility with Android versions below 9. If you consider the compatibility issue, you can use the library “androidx.biometric” provided by Google.
3. Disable fingerprint authentication when a new fingerprint is recognized on the device, prompt the user when he/she performs fingerprint authentication, and require the user to complete the authentication by other means. In terms of implementation, this can be done by using the “setInvalidatedByBiometricEnrollment” API of the key used in fingerprint authentication.
4. Verify the user’s identity when turning off the fingerprint function, and allow the user to turn off the fingerprint function only if the verification is passed.