The Biometric AuthToken Heist: Cracking PINs and Bypassing CE via a Long-Ignored Attack Surface

No ratings

Presented at Power of Community 2025 by

Xuangan Xiao

Zikai Xu

Modern smartphones commonly integrate biometric authentication to enhance user convenience, allowing quick and secure identity verification without requiring a lock screen password. However, the lack of standardized implementations across manufacturers has resulted in numerous security risks, particularly in authentication validity checks and credential lifecycle management. This research investigated the biometric authentication implementations in over 30 Android phones from 9 independent manufacturers, focusing on the biometric authentication process within their Trusted Applications (TA). It revealed that numerous manufacturers exhibit poor management of AuthTokens in the biometric TA, enabling attackers to bypass authentication and steal the phone’s lock screen PIN. The feasibility of this attack was confirmed on 8 devices from 7 independent manufacturers, with the PIN code successfully retrieved in each case. Compromising the PIN is more detrimental than typical privilege escalation attacks on Android because it grants attackers the ability to unlock the device, bypass credential encryption (CE) to access and decrypt user data, and potentially transfer funds from the phone's wallet. Balancing security and convenience remains an industry challenge, with additional authentication methods often leading to more attack vectors. This study highlights a critical, previously neglected attack surface, demonstrates its exploitability across a wide range of devices, and offers manufacturers suggestions to mitigate these risks.