Task #13207
Task #13202: Huawei Pentest Remidiation
HUAWEI - L3 - Local Biometric Authentication Bypass
Status: | Closed - End of life cycle | Start date: | September 07, 2022 | |
---|---|---|---|---|
Priority: | Normal | Due date: | September 16, 2022 | |
Assignee: | MUHAMMAD IHSAN | % Done: | 100% | |
Category: | PCI DSS - Pentest | Spent time: | - | |
Target version: | - |
Description
Description :
At the time of assessment, LGMS security team successfully bypassed the application's local biometric authentication to gain access to sensitive data as an unauthenticated user.
Attackers can easily bypass local biometric authentication if no data returns from the authentication process. Additionally, the lack of enforcement of authentication at the remote endpoint allows attackers to bypass local authentication and query data from the remote endpoint directly.
LGMS Solution:
Local biometric authentication should always be enforced at a remote endpoint or be based on a cryptographic primitive. For Android, better security for local biometric authentication can be achieved by using the fingerprint API in conjunction with the Android KeyGenerator class. For iOS, it is recommended to leverage the Keychain for implementing local biometric authentication.
Penril Plan :
To integrate new finger print service (Same as android)
History
#1 Updated by MUHAMMAD IHSAN about 2 years ago
- Status changed from New - Begin Life Cycle to Finished Development
- % Done changed from 0 to 100
Integrate login Fingerprint service
#2 Updated by MUHAMMAD IHSAN almost 2 years ago
- File Fingerprint Handler.png added
#3 Updated by Binti Marobi Athirah Umairah over 1 year ago
- Status changed from Finished Development to Closed - End of life cycle
Deployed to SIT on 15/4/22
Deployed to UAT on 18/4/22
Confirmed by azyan on 23/3/23, now pending LGMS feedback and new testing cycle result.