Fingerprint-Jacking: Practical Fingerprint Authorization Hijacking in Android Apps

Presented at Black Hat Europe 2020 Virtual, Dec. 10, 2020, 10:20 a.m. (40 minutes)

Many mobile devices carry a fingerprint scanner nowadays. Mobile apps utilize the fingerprint scanner to facilitate operations such as account login and payment authorization. Despite its security-critical nature, relatively little effort has been devoted to the security analysis of fingerprint scanner, especially from the system security aspect.

In this talk, we introduce fingerprint-jacking, a type of User-Interface-based (UI) attack that targets fingerprint hijacking in Android apps. We coin the term from clickjacking, as our attack also conceals the original interface beneath a fake covering. Specifically, we discover five novel attacking techniques, all of which can be launched from zero-permission malicious apps and some can even bypass the latest countermeasures in Android 9+. Our race-attack is effective against all apps that integrate the fingerprint API.

As apps' implementation flaws intensify the fingerprint-jacking vulnerability, we have designed a static analyzer to efficiently identify apps with implementation flaws that can lead to fingerprint-jacking. In our evaluation of 1630 Android apps that utilize the fingerprint API, we found 347 (21.3%) apps with different implementation issues. We have successfully performed proof-of-concept attacks on some popular apps, including stealing money via a payment app with over 100,000,000 users, gaining root access in the most widely used root manager app, and more. Finally, we discuss potential mitigations for both the apps and the Android framework.

Presenters:

• Ronghai Yang - Security Expert, Sangfor Technologies, Inc.
  Ronghai Yang is currently a security expert at Sangfor Techonology, Inc. He received a PhD degree from the Chinese University of Hong Kong under the supervision of Prof. Wing Lau. His research interests include protocol verification, formal methods, and general cyber security. His previous work has been presented in USENIX Security 2018 and Black Hat Europe, etc.
• Shangcheng Shi - PhD Candidate, The Chinese University of Hong Kong
  Shangcheng Shi is currently a PhD student in the Department of Information Engineering at The Chinese University of Hong Kong. His supervisor is Wing Cheong Lau. His main research interests are mobile security and system security.
• Yikang Chen - MSc Student, The Chinese University of Hong Kong
  Yikang Chen is currently a master's student in Computer Science at The Chinese University of Hong Kong. His research interests include mobile security, web security, and machine learning security.
• Wing Cheong Lau - Associate Professor, The Chinese University of Hong Kong
  <span>Wing Cheong Lau is currently an Associate Professor in the Department of Information Engineering and the Director of the Mobile Technologies Centre (MobiTeC) at the Chinese University of Hong Kong (CUHK). Wing received the B.S.(Eng) degree from The University of Hong Kong and the M.S. and Ph.D. degrees in Electrical and Computer Engineering from the University of Texas at Austin. Before returning to academia, Wing worked in the US industry for a decade: He was a Member of Technical Staff with the Performance Analysis Department, Bell Laboratories, Holmdel, New Jersey, where he conducted research in high-speed network protocol design and performance analysis. Wing also had a stint with Qualcomm, San Diego, California where he designed the architecture and protocols for the Next Generation Wireless Packet Data Networks and actively contributed to the standardization of such protocols in the Internet Engineering Task Force (IETF) and 3GPPs. While on leave from Bell Labs, Wing had taught at the University of Hong Kong and served as the Associate Director for the MSc Programme in E-Commerce and Internet Computing. Wing's innovations have led to the granting of 19 U.S. patents. Related research findings have culminated in more than 100 publications in major international conferences and journals. His recent research interests include: Security and Privacy of Online Social Networks and Mobile Payment Systems, Resource allocation and Optimization for Big Data Processing/ Cloud Computing Systems, Authenticated 2D barcodes and their applications. Dr. Lau is a Senior Member of IEEE and a member of ACM and Tau Beta Pi. He is/ has been a TPC member of ACM MobiHoc, Sigmetrics, IEEE Infocom, SECON, WiOpt, ICC, Globecom, WCNC, VTC, ITC, VNC and COMSNETS. He also served as a Guest Editor for the special issue on High-speed Network Security of IEEE Journal of Selected Areas in Communications (JSAC). For their work in Single-Sign-On SDK security, Wing and his team received the 2018 Internet Defense Prize (2nd-runner up) from Usenix and Facebook.</span>
• Xianbo Wang - PhD Student, The Chinese University of Hong Kong
  Xianbo Wang is currently an PhD student in the Department of Information Engineering at The Chinese University of Hong Kong. His supervisor is Wing Cheong Lau. His current research interests include web application security and Android security. He enjoys participating in CTFs and bug bounty programs.

Links:

• https://www.blackhat.com/eu-20/briefings/schedule/#fingerprint-jacking-practical-fingerprint-authorization-hijacking-in-android-apps-21364

Similar Presentations:

• VB2018 / Little Brother is watching - we know all your secrets!
• VB2016 / Wild Android Collusions
• Black Hat Asia 2021 Virtual / A Mirage of Safety: Bug Finding and Exploit Techniques of Top Android Vendor's Privacy Protection Apps