THIS IS ONLY FOR EDUCATION PURPOSES
This small project was inspired by Gotham Digital Science article published on June 19, 2014.
Project goal :
BY PASS ANY ROOTED SAMSUNG GALAXY S5 FINGERPRINT AUTHENTICATION WHEN ALTERNATE PASSWORD AUTHENTICATION IS AVAILABLE WITHOUT KNOWING THE PASSWORD ( CERTAIN CONDITION SHOULD BE MET ).
The strategy :
Use system level hooking with Cydia Substrate.
- Identify the Fingerprint service APK & reverse engineer it.
- Identify the functions responsible for alternative password authentication.
- Implement the Override authentication function at run time.
- The device is rooted.
- The device has Cydia Substrate.
- You are able to run the application on the device.
1. Identify the Fingerprint service APK & reverse engineer it. 1.1 Download the APK to your computer . 1.2 Decompile the APK. 1.2.1 Extract all the file from the APK using “Archive Manager” 1.2.2 Decompile DEX file using Dex2jar 1.2.3 Decompile Jar file with JD 2. Identify the functions responsible for alternative password authentication.
There is to way to do this, either searching class by class hunting for functions with a name that may indicate the action we are looking for , or understand the SDK API. By downloading Samsung Galaxy S5 Pass SDK and reading the authentication example its possible to identify the required interfaces then mapping them to implemented classes we land into The class com.samsung.android.fingerprint.service.FingerprintManagerService this class has a interesting method public boolean verifyPassword(IBinder paramIBinder, String paramString, boolean paramBoolean). In verfiyPassword there is a call to return this.mLockPatternUtils.checkFingerprintPassword(paramString); where mLockPatternUtils is an instance of com.android.internal.widget.LockPatternUtils AND this is THE CLASS WE WILL LOAD AT RUN TIME TO REPLACE ITS FUNCTION.
So our function is Boolean checkFingerprintPassword(String) located at com.android.internal.widget.LockPatternUtils 3. Implement the Override authentication function at run time. Please take a look at the Cydia Substrate web site or the article of GDS for information about how to use Cydia i will explain here only the core implementation.
2- Check if Substrate is linked if so unlink
3- Link Substrate
4- Restart The device When the device will turns on again the Substrate will be on and updated with our new hook.
– Where FPHookInformation.className provides the class we are targeting and FPClassLoader is an instance of ClassLoadHook a class that provides the interception mechanism for loading the class we are targeting at run-time
ITS HIGHLY RECOMMENDED TO AVOID ROOTING ANY DEVICE IT MAY CONTAIN SENSITIVE DATA AND ALWAYS FOLLOW RECOMMENDED SECURITY MEASURES TO AVOID ANY MALEWARE OR DATA LOST.
When we root a device we are breaking the security model built by the manufacturers to provide the integrity and security of the device. if we don’t implement the security measures needed to protect a rooted device any malicious actor could use a rooted device to his advantage allowing him to gain unauthorized physical access, steal data remotely or simply destroy the device completely . In this project it was demonstrated how to bypass the authentication mechanism built to secure physical access to Samsung cell phone (Galaxy S5), but this same technique could in other devices and with other purposes such as STEALING THE USERS FINGERPRINT.
1- Embed substrate in the same application so we install it when it is run
2- Disable SuperSU ( IF INSTALLED )
3- Intercept fingerprint recognition itself
4- Substitute The activity with a hidden service
Download source code : GITHUB ChaddyHV