Biometric Authentication: Pretty Face, Weak Shield?
3 min read
May 31, 2025
Table of contents
Hey everyone!
Biometrics are everywhere: unlocking your phone, approving a payment, signing a transaction. It feels secure, like something only you can do. But when it comes to app security, that’s often just an illusion.
In this issue, we’re diving into biometric authentication, how it really works on iOS and Android, where developers usually fail, and how attackers (you!) can bypass it with Objection, Frida, or full-on reversing when needed.
Let’s pop the fingerprint scanner and peek inside 👇
🔍 What Is Biometric Authentication (Really)?
Biometric auth isn’t magic – it’s just a local decision mechanism.
When you authenticate using Face ID or a fingerprint:
- The OS compares your biometric input to a stored template.
- If it matches, the OS tells the app: “Yes, it’s the user.”
- The app then decides what that means – unlock the UI? Sign something? Grant access?
On iOS
iOS apps use the LocalAuthentication framework with calls like:
LAContext().evaluatePolicy(.deviceOwnerAuthenticationWithBiometrics)
This shows the system Face ID / Touch ID prompt. If the check passes, the callback returns true.
That’s it.
Unless the developer explicitly binds this result to a cryptographic operation – for example, signing with a key stored in the Secure Enclave – there’s no guarantee the biometric result is real.
Also, many apps use key types (like secp256k1) that are not supported by Secure Enclave, forcing them to store the key in userland. Dangerous move.
On Android
Android offers the BiometricPrompt API. Combined with Android Keystore, it can protect keys so they’re only usable after biometric auth.
Typical flow:
- BiometricPrompt asks for authentication.
- If successful, a key is unlocked in the Keystore.
- That key signs or decrypts something sensitive.
But if the app just reacts to onAuthenticationSucceeded without using real keys or enforcing cryptographic binding, it’s just as bypassable.
🕳️ Where It Fails: Common Developer Mistakes
Here’s where things tend to break:
❌ No Real Binding
Apps use biometrics as a fancy UI, but control access with:
- A memory flag (
isAuthenticated = true) - A value in Shared Preferences
- Or just
if userPassedBiometric { unlock() }
No cryptography. No attestation. Just vibes.
🔑 Weak Key Storage
Some apps generate a private key and use it to sign or decrypt data after biometric approval... but store the key:
- In the standard keychain
- Without Secure Enclave or biometric gating
- Or worse, as a file in app storage (😬)
On jailbroken or rooted devices, this key can be extracted. Once you have it, you can:
- Forge valid signatures
- Emulate the biometric flow
- Perform sensitive actions from a script
🧪 Techniques to Bypass Biometrics
Let’s get practical. Here are three techniques you can use depending on the platform and implementation.
🍏 iOS – Objection Biometric Bypass
On jailbroken devices, use Objection:
objection --gadget <app> explore
ios ui biometric_bypass
This hooks evaluatePolicy and forces a successful return.
If the app trusts that boolean without cryptographic binding – you’re in.
🤖 Android – Frida Fingerprint Bypass
Two great scripts from ReversecLabs:
fingerprint-bypass.js– directly hooks biometric logic to always return success.fingerprint-bypass-via-exception-handling.js– forces exceptions to bypass checks.
These are effective when the app uses BiometricPrompt without proper Keystore protection.
🧠 And If None of That Works?
Time for reversing:
- Decompile the APK or dump the IPA.
- Trace where
evaluatePolicyorBiometricPromptis used. - Find the logic path that decides whether access is granted.
- Identify flags, tokens, or keys involved and override or extract.
If it’s not cryptographically enforced, it’s probably bypassable.
🧪 Labs to Practice Biometric Bypass
The best way to understand how biometric authentication really works, and how to break it, is to build your own test environment.
I covered this exact topic in one of the chapters of my mobile security series unfortunately, only for Android for now. It includes how to set up a minimal app and the tools you need to simulate and exploit common biometric implementation mistakes.
🧭 Final Thoughts
Biometric auth feels secure, but without crypto-bound enforcement, it’s just UI sugar.
If you're a dev: use Secure Enclave or Android Keystore, and sign something real.
If you're a pentester: hook, patch, or reverse your way in.
Until next time,
Stay curious, stay subverting,
Ruben 🚀
Chapters
Previous Issue
Next Issue
