High level Vulnerability

[VenkataMannem]

Hello Flutter Community,

We are experiencing High level Vulnerability under the package that we are using local_auth. This local_auth package internally using the local_auth_android package that is causing the problem.

Security Scanning Orchestrator: Ostorlab
OS: Android
Problem:
Android provides mechanisms to enforce biometric authentication to protect sensitive information. Biometric authentication has evolved over time to provide improved user experience, developer experience and improved security.
Previous implementation using FingerprintManager is deprecated and must not be used. Proper implementation must useBiometricManager with BiometricPrompt and CryptoObject.
CryptoObject provides cryptographic primitives for encryption, decryption and signature validation.
In the example below, calling the authenticate method without cryptoObject is vulnerable to authentication bypass:

Proofs:

Attached the screenshots.

Would you please let me know whether we have an any open Vulnerability or do we need to create new. If yes, Would you please provide us the link where we can report about this.

Thanks,
Venkata.

[stuartmorgan-g]

Closing as a duplicate of #105158

CryptoObject provides cryptographic primitives for encryption, decryption and signature validation.

None of those things are in scope for local_auth; if you want to protect a secret, or do signing, via authentication, you would need to use a library designed for that purpose.

[3asm]

Hi @stuartmorgan ,

Both the Biometric API on Android (BiometricPrompt.CryptoObject)[1] and iOS (kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly)[2] exposes APIs to secure data relying on cryptographic primitives that are either generated or unlocked using the Biometric authentication.

local_auth does not expose those. The fact that these APIs are part of the native SDK should naturally be reflected in its Flutter counterpart.

local_auth without it is insecure for use and Biometric authentication with it is always bypassable [3]. The risks addressed with Biometric Authentication are not mitigated as nothing links them to the Biometric data of the user.

I hope the Flutter team would reconsider adding these to the package and exposing the SDK cryptographic/access primitive to Dart for secure usage.

[1] https://developer.android.com/reference/android/hardware/biometrics/BiometricPrompt.CryptoObject
[2] https://developer.apple.com/documentation/localauthentication/accessing_keychain_items_with_face_id_or_touch_id
[3] https://book.hacktricks.xyz/mobile-pentesting/android-app-pentesting/bypass-biometric-authentication-android

[stuartmorgan-g]

Both the Biometric API on Android (BiometricPrompt.CryptoObject)[1] and iOS (kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly)[2] exposes APIs to secure data relying on cryptographic primitives that are either generated or unlocked using the Biometric authentication.

Yes, I'm aware that protecting access to a secret is one possible use of the same underlying systems that local_auth uses.

local_auth does not expose those.

This is because, as noted above, that's not within the scope of what local_auth is intended to do. Another plugin could certainly build, for example, a secure storage system based in part on those APIs.

The fact that these APIs are part of the native SDK should naturally be reflected in its Flutter counterpart.

local_auth is not intended to be a counterpart to the entire native SDK.

local_auth without it is insecure for use and Biometric authentication with it is always bypassable [3].

Based on the link, I assume when you say "always" you mean "when the device is rooted and an attacker has the ability to replace arbitrary code in the application". If you are attempting to design an application that is secure against a local attacker who can make arbitrary changes to that application, then you need something more complex than the use case local_auth is intended for (presumably either a secure local data storage system, or a passkey-like exchange with a server). Please feel free to file a new issue requesting a new plugin, describing the specific functionality and use case you are trying to address.

[VenkataMannem]

@stuartmorgan can we go ahead and raise the new plugin for above use case.

[github-actions]

This thread has been automatically locked since there has not been any recent activity after it was closed. If you are still experiencing a similar issue, please open a new bug, including the output of flutter doctor -v and a minimal reproduction of the issue.