Mysterious Crypto in Android Biometrics

Mysterious Crypto in Android
Biometrics
Responsible: Mr. Pongsakorn Sommalai
Version (Date): 1.0 (2019-10-02)
Confidentiality class: Public
บจก.สยามถนัดแฮก

Responsible / Version: Mr. Pongsakorn Sommalai / 1.0 (2019-10-02)
Mr. Pongsakorn (Bongtrop) Sommalai
Penetration Tester
Siam Thanat Hack Company Limited
Whoami
It’s me.

Overview
3
- Introduction
- Android Biometrics (Authentication) Security
- Android Keystore
- Cryptographic Library in Android
- Biometric Prompt
- Example Applications
- AndroidKeyStore
- The better way (let's discuss)

Introduction

What is Biometrics (Authentication)?
5
http://fintechnews.sg/18096/mobile-payment/singaporeans-interested-in-biometrics-authentication-and-payments/

Password & PIN

Password & PIN
000000

8
1 2
Celeb’s Opinion

Today’s Scenario
10
Scenario: The sophisticated threat actors or APT malware with access to the
victim’s device.
Not these:

Android Biometric
Implementation

What is Keystore ?
12
A safe box which can store cryptographic keys.

FriendZone Technology and the Trusted Execution Environment (TEE)
13

TrustZone Technology and the Trusted Execution Environment (TEE)
14

AndroidKeyStore and his Friend
15

Key Material in AndroidKeyStore
16
- Generate in secure world
- Encrypt in secure world
- Decrypt in secure world
- XXX in secure world
Can you gimme a key? Can you decrypt for me?

Cryptographic Library in Android
17
https://developer.android.com/guide/topics/security/cryptography

Biometric Prompt
18
https://android-developers.googleblog.com/2018/06/better-biometrics-in-android-p.html

Example Application #1
19
// For the "insecure" method, the app relies on onAuthenticationSucceeded function being called
btInsecureActivity.setOnClickListener(new View.OnClickListener() {
@Override
public void onClick(View view) {
new BiometricPrompt(MainActivity.this, executor, new BiometricPrompt.AuthenticationCallback() {
@Override
public void onAuthenticationSucceeded(@NonNull BiometricPrompt.AuthenticationResult result) {
super.onAuthenticationSucceeded(result);
i = new Intent(MainActivity.this, InsecureActivity.class);
startActivity(i);
}
}).authenticate(promptInfo);
}
});
Let’s play !!

20

21
KeyStore + Cryptographic + BiometricPrompt

22
Generate Key
Init Phrase
Encrypt a Secret Store it Somewhere
Fetch Key
Access Phrase
Authenticate Decrypt a Secret
Secure
World
Secure
World
Secure
World
Only
Object

23
Take a Look at the Source Code !!

Interesting Property of a Key
24
- isInsideSecureHardware
- isInvalidatedByBiometricEnrollment
- isUserAuthenticationRequired
- isUserAuthenticationRequirementEnforcedBySecureHardware
- isUserAuthenticationValidWhileOnBody
- userAuthenticationValidityDurationSeconds

Example Application #SDHMobile
25
Let’s play with this scenario !!

Store encrypted PIN or TOKEN for authentication.
Is it secure ?
26

Possible Attacks on
AndroidKeyStore

AndroidKeyStore Recap
28
- Generate in secure world
- Encrypt in secure world
- Decrypt in secure world
- XXX in secure world
Can you gimme a key? Can you decrypt it for me?
However, the key must be stored in somewhere right?

The better ways (let’s discuss)

Challenge Response Authentication (Symmetric)
30

Challenge Response Authentication (Asymmetric)
31

Q & A
Contact us:
pentest@sth.sh

Mysterious Crypto in Android Biometrics

More Related Content

More from Pichaya Morimoto (7)

Recently uploaded (20)

Mysterious Crypto in Android Biometrics