Incorrect Access Control in the Fingerprint Authentication Mechanism of "Life : Personal Diary, Journal" App
Product introduction
A personal and secure diary app. Write your life journey and keep those memories forever. You can also write journals, notes, to do lists and your daily plans in this diary app. It is also a note keeper, you can keep your notes in this diary app. It is a pocket diary where you can express yourself. Write your secrets and feeling in this life diary. Keep your life memorable life moments and milestones in it.
This personal diary comes with password lock and it is also a diary with fingerprint lock. You can add your photo memories to the photo collection in this personal diary with lock. The pass code will protect your journal and notes forever. Life diary app will be your perfect companion to express yourself. This journal app work perfectly in offline, it is a offline diary.
Affected version
17.5.0
Vulnerability description
The following vulnerabilities exist in the implementation of the fingerprint authentication function of this app.
- Failure to disable the fingerprint function when a new fingerprint is added to the device, allowing an attacker to pass fingerprint authentication by entering a new fingerprint, which can lead to unauthorized access.
- Failure to verify the user’s identity when disabling the fingerprint feature, allowing the integrity of the fingerprint protection to be compromised, which can cause fingerprint protection to fail.
Improvement suggestion
- Disable fingerprint authentication when a new fingerprint is recognized on the device, prompt the user when he/she performs fingerprint authentication, and require the user to complete the authentication by other means. In terms of implementation, this can be done by using the “setInvalidatedByBiometricEnrollment” API of the key used in fingerprint authentication.
- Verify the user’s identity when turning off the fingerprint function, and allow the user to turn off the fingerprint function only if the verification is passed.