Fingerprint-Jacking: Practical Fingerprint Authorization Hijacking in Android Apps presented at BlackHatEurope 2020

by Wing Cheong Lau, Ronghai Yang, Xianbo Wang, Shangcheng Shi, Yikang Chen,

Summary : Many mobile devices carry a fingerprint scanner nowadays. Mobile apps utilize the fingerprint scanner to facilitate operations such as account login and payment authorization. Despite its security-critical nature, relatively little effort has been devoted to the security analysis of fingerprint scanner, especially from the system security aspect.In this talk, we introduce fingerprint-jacking, a type of User-Interface-based (UI) attack that targets fingerprint hijacking in Android apps. We coin the term from clickjacking, as our attack also conceals the original interface beneath a fake covering. Specifically, we discover five novel attacking techniques, all of which can be launched from zero-permission malicious apps and some can even bypass the latest countermeasures in Android 9+. Our race-attack is effective against all apps that integrate the fingerprint API.As apps' implementation flaws intensify the fingerprint-jacking vulnerability, we have designed a static analyzer to efficiently identify apps with implementation flaws that can lead to fingerprint-jacking. In our evaluation of 1630 Android apps that utilize the fingerprint API, we found 347 (21.3%) apps with different implementation issues. We have successfully performed proof-of-concept attacks on some popular apps, including stealing money via a payment app with over 100,000,000 users, gaining root access in the most widely used root manager app, and more. Finally, we discuss potential mitigations for both the apps and the Android framework.