Run any Skill in Manus with one click

mobile-auth-bypass

Detects authentication and biometric bypass vulnerabilities in mobile apps (Android/iOS). Trigger on: BiometricPrompt, LocalAuthentication, LAContext, evaluatePolicy, CryptoObject, Android Keystore, Secure Enclave, kSecAccessControlBiometryCurrentSet, userAuthenticationValidityDurationSeconds, confirmCredentials, biometric fallback, PIN bypass, passive authentication, enrolled biometrics detection, Frida hook auth, jailbreak bypass, TouchID, FaceID, fingerprint. Covers MASVS-AUTH-1/2/3.

Run Skill in Manus

Stars4

Forks1

UpdatedMarch 14, 2026 at 13:17

Source

securityfortech

securityfortech/hacking-skills

View GitHub Repository View Creator Repositories

Install command

Download

Run Skill in Manus

Useful forSOC

Information Security AnalystsComputer and Mathematical Occupations15-1212L4

SKILL.md

readonly

More from this repository

same repository

distill-skill

securityfortech/hacking-skills

Use when the user wants to extract reusable offensive security knowledge from any source and generate a SKILL.md file. Trigger on: "distill this", "extract skill from", "turn this into a skill", "generate skill from", "convert this report/blog/book/walkthrough into a skill", or when the user pastes raw security content (bug report, pentest report, CTF writeup, blog post, ezine, book chapter) and wants it transformed into structured hunting methodology.

2026-03-144

bola-idor

securityfortech/hacking-skills

Use when hunting Broken Object Level Authorization (BOLA) or Insecure Direct Object Reference (IDOR) vulnerabilities in APIs or web applications. Trigger on: "BOLA", "IDOR", "broken object level", "access other users", "object reference", numeric or UUID IDs in URLs or request bodies, user-scoped resources, horizontal privilege escalation, "change the ID in the request", second-order IDOR, blind IDOR, indirect reference, encoded ID, deprecated API version, JSON globbing.

2026-03-144

cicd-bot-command-injection

securityfortech/hacking-skills

Use when hunting CI/CD bot comment command vulnerabilities where issue_comment or pull_request_review_comment triggers invoke privileged workflows without verifying the commenter's identity or authorization. Trigger on: "bot command injection", "issue_comment trigger", "@github-actions", "slash command CI", "CI bot command", "comment triggered workflow", "unauthenticated bot", "github-actions publish", "comment dispatch", no authorization check on workflow_dispatch from comment, chatops CI/CD, supply chain via PR comment.

2026-03-144

github-actions-cache-poisoning

securityfortech/hacking-skills

Use when hunting GitHub Actions cache poisoning vulnerabilities where an attacker can inject malicious content into the CI/CD cache and have it restored by a privileged downstream workflow. Trigger on: "cache poisoning", "actions/cache", "actions/setup-node", "node_modules cache", "GitHub Actions cache", "pnpm cache", "LRU eviction", "10GB limit", "Cacheract", "poisoned cache", "workflow cache attack", supply chain via CI cache, "ng-renovate", "cache stuffing", scheduled workflow cache restore, shared cache key, "hashFiles package.json", cross-workflow cache, PR workflow release workflow same key, "npm install prefer-offline", Cacheract, Gato-X, supply chain npm token.

2026-03-144

github-actions-script-injection

securityfortech/hacking-skills

Use when auditing GitHub Actions workflows for script injection vulnerabilities via unsanitized context expressions. Trigger on: "github actions injection", "workflow injection", "head_ref injection", "github context injection", "pwn request", "github.head_ref", "github.event.pull_request.title", "github.event.issue.body", pull_request_target workflows, run: steps interpolating GitHub context variables, CI/CD script injection, GitHub Actions security audit.

2026-03-144

pwn-request

securityfortech/hacking-skills

Use when hunting Pwn Request vulnerabilities where pull_request_target workflows checkout attacker-controlled PR code and execute it in a privileged context with access to repository secrets. Trigger on: "pwn request", "pull_request_target", "checkout PR head", "npm install in CI", "lifecycle scripts in CI", "preinstall script", "postinstall script", "package.json scripts CI", "npm ci ignore-scripts false", "actions/checkout ref pull request head sha", privileged workflow running PR code, "Gato-X", supply chain via PR lifecycle scripts.

2026-03-144

name	mobile-auth-bypass
description	Detects authentication and biometric bypass vulnerabilities in mobile apps (Android/iOS). Trigger on: BiometricPrompt, LocalAuthentication, LAContext, evaluatePolicy, CryptoObject, Android Keystore, Secure Enclave, kSecAccessControlBiometryCurrentSet, userAuthenticationValidityDurationSeconds, confirmCredentials, biometric fallback, PIN bypass, passive authentication, enrolled biometrics detection, Frida hook auth, jailbreak bypass, TouchID, FaceID, fingerprint. Covers MASVS-AUTH-1/2/3.
license	MIT
compatibility	Designed for Claude Code. Frida, objection, jadx, apktool, Burp Suite recommended.
metadata	{"category":"mobile","version":"0.1","source":"https://mas.owasp.org/MASTG/","source_types":"framework","masvs":"MASVS-AUTH-1, MASVS-AUTH-2, MASVS-AUTH-3"}

Mobile Authentication Bypass

What Is Broken and Why

Mobile authentication is broken when the authentication check is event-driven (callback-only) rather than cryptographically bound to a Keystore/Secure Enclave key. An app that calls BiometricPrompt / LAContext.evaluatePolicy() and then checks a boolean success return can be bypassed by hooking the callback with Frida and forcing true. Truly secure biometric auth requires a CryptoObject (Android) or SecAccessControl with biometry binding (iOS) — without this, the biometric check has no cryptographic consequence and can be bypassed at the application layer.

Key Signals

BiometricPrompt used without a CryptoObject parameter (event-only, not key-bound)
LAContext.evaluatePolicy(_:localizedReason:reply:) with no Keychain operation tied to auth
userAuthenticationValidityDurationSeconds > 0 with large values (minutes/hours)
No kSecAccessControlBiometryCurrentSet flag — new enrollments silently unlock Keychain items
setUserAuthenticationRequired(false) on a Keystore key intended for biometric-gated operations
Fallback path (device PIN) bypasses Keystore binding constraints
onAuthenticationSucceeded callback contains business logic without using cryptoObject.cipher

Methodology

Android:

Decompile APK — search for BiometricPrompt, FingerprintManager, KeyguardManager
Check BiometricPrompt.authenticate() call: does it pass a CryptoObject?
If no CryptoObject → callback-only auth → hookable with Frida
Check Keystore key spec: setUserAuthenticationRequired(true) and setInvalidatedByBiometricEnrollment(true)
Check userAuthenticationValidityDurationSeconds: 0 = require auth on every use (correct); >0 = time-window (weaker)
Test fallback: trigger failed biometric → does PIN bypass the Keystore key requirement?
Frida hook: override onAuthenticationSucceeded to fire without user touching sensor

iOS:

Search IPA source for LAContext, evaluatePolicy, kLAPolicyDeviceOwnerAuthenticationWithBiometrics
Check Keychain item: SecAccessControlCreateWithFlags with .biometryCurrentSet or .userPresence?
If auth is event-only (just checks LAContext result, no Keychain op) → bypass with Frida
Verify evaluatedPolicyDomainState is checked on launch to detect enrollment changes
Frida: hook LAContext.evaluatePolicy reply block, force error=nil to simulate success

Payloads & Tools

// Frida — Android: bypass BiometricPrompt (event-only auth)
Java.perform(function() {
  var BiometricPrompt = Java.use("androidx.biometric.BiometricPrompt$AuthenticationCallback");
  BiometricPrompt.onAuthenticationFailed.implementation = function() {
    this.onAuthenticationSucceeded(Java.use(
      "androidx.biometric.BiometricPrompt$AuthenticationResult").$new(null, 1));
  };
});

// Frida — iOS: bypass LAContext evaluatePolicy
var LAContext = ObjC.classes.LAContext;
var evaluatePolicy = LAContext["- evaluatePolicy:localizedReason:reply:"];
Interceptor.attach(evaluatePolicy.implementation, {
  onEnter: function(args) {
    var replyBlock = new ObjC.Block(args[4]);
    replyBlock.implementation = function(success, error) {
      replyBlock.implementation(1, null); // force success
    };
  }
});

# objection — Android: bypass biometric
android hooking watch class_method \
  androidx.biometric.BiometricPrompt\$AuthenticationCallback.onAuthenticationSucceeded

# objection — iOS: bypass LAContext
ios jailbreak disable  # in some versions triggers auth bypass

Bypass Techniques

Frida callback hook — force onAuthenticationSucceeded / LAContext reply to return success without biometric
New enrollment attack — add attacker's fingerprint to device if screen is accessible; app without kSecAccessControlBiometryCurrentSet doesn't detect enrollment change
Fallback escalation — trigger lockout of biometrics to force PIN fallback, then bypass PIN check in app logic
Time-window key abuse — if userAuthenticationValidityDurationSeconds is set to hours, re-use the authenticated key window after the user walked away
Root/jailbreak + memory patch — on rooted devices, patch the auth result check directly in memory

Exploitation Scenarios

Scenario 1 — Frida Biometric Bypass (Android) Setup: Banking app uses BiometricPrompt without CryptoObject; success triggers fund transfer unlock in callback. → Trigger: Frida hooks onAuthenticationSucceeded, fires it without biometric. → Impact: Full access to transfer functionality without the user's fingerprint.

Scenario 2 — New Enrollment Unlock (iOS) Setup: Vault app stores secret in Keychain with .userPresence access control (no .biometryCurrentSet). → Trigger: Attacker adds their fingerprint to victim's unlocked device settings. → Impact: Attacker's Touch ID unlocks the Keychain secret.

Scenario 3 — Validity Duration Abuse (Android) Setup: App sets userAuthenticationValidityDurationSeconds(300) (5 minutes). → Trigger: User authenticates once; attacker immediately uses the device. → Impact: Keystore key operations succeed for 5 minutes without additional auth.

False Positives

BiometricPrompt with CryptoObject — properly bound, not bypassable via callback hook
Keychain items with kSecAccessControlBiometryCurrentSet — enrollment change invalidates access
Auth bypass succeeds in debug/test build but not in production (release build strips debug flags)
evaluatePolicy result is only used for UX (greyed-out UI), not for actual secret release

Fix Patterns

// Android — key-bound biometric (correct)
val keyStore = KeyStore.getInstance("AndroidKeyStore")
val keyGen = KeyGenerator.getInstance(KeyProperties.KEY_ALGORITHM_AES, "AndroidKeyStore")
keyGen.init(KeyGenParameterSpec.Builder("bioKey", KeyProperties.PURPOSE_ENCRYPT or KeyProperties.PURPOSE_DECRYPT)
    .setUserAuthenticationRequired(true)
    .setUserAuthenticationParameters(0, KeyProperties.AUTH_BIOMETRIC_STRONG) // 0 = per-use
    .setInvalidatedByBiometricEnrollment(true)
    .build())
// Pass CryptoObject to BiometricPrompt.authenticate()

// iOS — Keychain bound to biometry set (correct)
let access = SecAccessControlCreateWithFlags(nil,
    kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly,
    [.biometryCurrentSet], nil)!
// Any new enrollment invalidates this Keychain item

Related Skills

[[auth-bypass]] on the web covers the same conceptual space — client-supplied flags and callback-only checks — but in a mobile runtime context. [[mobile-weak-crypto]] enables auth bypass when biometric auth is event-only rather than key-bound: without a CryptoObject, there is no cryptographic consequence to the biometric check. [[mobile-resilience]] controls like root/jailbreak detection are a prerequisite defense — Frida-based auth bypass requires an attached debugger or instrumentation framework that resilience controls are designed to detect.