Merge pull request github#15481 from joefarebrother/android-local-auth

Java: Add query for insecure local authentication

Author: joefarebrother

java/ql/lib/semmle/code/java/security/AndroidLocalAuthQuery.qll

@@ -0,0 +1,42 @@
+/** Definitions for the insecure local authentication query. */
+
+import java
+
+/** A base class that is used as a callback for biometric authentication. */
+private class AuthenticationCallbackClass extends Class {
+  AuthenticationCallbackClass() {
+    this.hasQualifiedName("android.hardware.fingerprint",
+      "FingerprintManager$AuthenticationCallback")
+    or
+    this.hasQualifiedName("android.hardware.biometrics", "BiometricPrompt$AuthenticationCallback")
+    or
+    this.hasQualifiedName("androidx.biometric", "BiometricPrompt$AuthenticationCallback")
+  }
+}
+
+/** An implementation of the `onAuthenticationSucceeded` method for an authentication callback. */
+class AuthenticationSuccessCallback extends Method {
+  AuthenticationSuccessCallback() {
+    this.getDeclaringType().getASupertype+() instanceof AuthenticationCallbackClass and
+    this.hasName("onAuthenticationSucceeded")
+  }
+
+  /** Gets the parameter containing the `authenticationResult`. */
+  Parameter getResultParameter() { result = this.getParameter(0) }
+
+  /** Gets a use of the result parameter that's used in a `super` call to the base `AuthenticationCallback` class. */
+  private VarAccess getASuperResultUse() {
+    exists(SuperMethodCall sup |
+      sup.getEnclosingCallable() = this and
+      result = sup.getArgument(0) and
+      result = this.getResultParameter().getAnAccess() and
+      this.getDeclaringType().getASupertype() instanceof AuthenticationCallbackClass
+    )
+  }
+
+  /** Gets a use of the result parameter, other than one used in a `super` call. */
+  VarAccess getAResultUse() {
+    result = this.getResultParameter().getAnAccess() and
+    not result = this.getASuperResultUse()
+  }
+}

java/ql/src/Security/CWE/CWE-287/AndroidInsecureLocalAuthentication.qhelp

@@ -0,0 +1,42 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>
+Biometric local authentication such as fingerprint recognition can be used to protect sensitive data or actions within an application. 
+However, if this authentication does not use a <code>KeyStore</code>-backed key, it can be bypassed by a privileged malicious application, or by an attacker with physical access using application hooking tools such as Frida.
+</p>
+</overview>
+
+<recommendation>
+<p>
+Generate a secure key in the Android <code>KeyStore</code>. Ensure that the <code>onAuthenticationSuccess</code> callback for a biometric prompt uses it 
+in a way that is required for the sensitive parts of the application to function, such as by using it to decrypt sensitive data or credentials. 
+</p>
+</recommendation>
+
+<example>
+<p>In the following (bad) case, no <code>CryptoObject</code> is required for the biometric prompt to grant access, so it can be bypassed.</p>
+<sample src="AndroidInsecureLocalAuthenticationBad.java" />
+<p>In the following (good) case, a secret key is generated in the Android <code>KeyStore</code>. The application requires this secret key for access, using it to decrypt data.</p>
+<sample src="AndroidInsecureLocalAuthenticationGood.java" />
+</example>
+
+<references>
+<li>
+OWASP Mobile Application Security: <a href="https://mas.owasp.org/MASTG/Android/0x05f-Testing-Local-Authentication/">Android Local Authentication</a>
+</li>
+<li>
+OWASP Mobile Application Security: <a href="https://mas.owasp.org/MASTG/tests/android/MASVS-AUTH/MASTG-TEST-0018/">Testing Biometric Authentication</a>
+</li>
+<li>
+WithSecure: <a href="https://labs.withsecure.com/publications/how-secure-is-your-android-keystore-authentication">How Secure is your Android Keystore Authentication?</a>
+</li>
+<li>
+Android Developers: <a href="https://developer.android.com/training/sign-in/biometric-auth">Biometric Authentication</a>
+</li>
+
+</references>
+</qhelp>

java/ql/src/Security/CWE/CWE-287/AndroidInsecureLocalAuthentication.ql

@@ -0,0 +1,18 @@
+/**
+ * @name Insecure local authentication
+ * @description Local authentication that does not make use of a `CryptoObject` can be bypassed.
+ * @kind problem
+ * @problem.severity warning
+ * @security-severity 4.4
+ * @precision high
+ * @id java/android/insecure-local-authentication
+ * @tags security
+ *       external/cwe/cwe-287
+ */
+
+import java
+import semmle.code.java.security.AndroidLocalAuthQuery
+
+from AuthenticationSuccessCallback c
+where not exists(c.getAResultUse())
+select c, "This authentication callback does not use its result for a cryptographic operation."

java/ql/src/Security/CWE/CWE-287/AndroidInsecureLocalAuthenticationBad.java

@@ -0,0 +1,11 @@
+biometricPrompt.authenticate(
+    cancellationSignal,
+    executor,
+    new BiometricPrompt.AuthenticationCallback {
+        @Override
+        // BAD: This authentication callback does not make use of a `CryptoObject` from the `result`.
+        public void onAuthenticationSucceeded(BiometricPrompt.AuthenticationResult result) {
+            grantAccess()
+        }
+    }
+)

java/ql/src/Security/CWE/CWE-287/AndroidInsecureLocalAuthenticationGood.java

@@ -0,0 +1,48 @@
+private void generateSecretKey() {
+    KeyGenParameterSpec keyGenParameterSpec = new KeyGenParameterSpec.Builder(
+        "MySecretKey",
+        KeyProperties.PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT)
+        .setBlockModes(KeyProperties.BLOCK_MODE_CBC)
+        .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_PKCS7)
+        .setUserAuthenticationRequired(true)
+        .setInvalidatedByBiometricEnrollment(true)
+        .build();
+    KeyGenerator keyGenerator = KeyGenerator.getInstance(
+            KeyProperties.KEY_ALGORITHM_AES, "AndroidKeyStore");
+    keyGenerator.init(keyGenParameterSpec);
+    keyGenerator.generateKey();
+}
+
+
+private SecretKey getSecretKey() {
+    KeyStore keyStore = KeyStore.getInstance("AndroidKeyStore");
+    keyStore.load(null);
+    return ((SecretKey)keyStore.getKey("MySecretKey", null));
+}
+
+private Cipher getCipher() {
+    return Cipher.getInstance(KeyProperties.KEY_ALGORITHM_AES + "/"
+            + KeyProperties.BLOCK_MODE_CBC + "/"
+            + KeyProperties.ENCRYPTION_PADDING_PKCS7);
+}
+
+public prompt(byte[] encryptedData) {
+    Cipher cipher = getCipher();
+    SecretKey secretKey = getSecretKey();
+    cipher.init(Cipher.DECRYPT_MODE, secretKey);
+
+    biometricPrompt.authenticate(
+        new BiometricPrompt.CryptoObject(cipher),
+        cancellationSignal,
+        executor,
+        new BiometricPrompt.AuthenticationCallback() {
+            @Override
+            // GOOD: This authentication callback uses the result to decrypt some data.
+            public void onAuthenticationSucceeded(BiometricPrompt.AuthenticationResult result) {
+                Cipher cipher = result.getCryptoObject().getCipher();
+                byte[] decryptedData = cipher.doFinal(encryptedData);
+                grantAccessWithData(decryptedData);
+            }
+        }
+    );
+}

java/ql/src/change-notes/2024-02-02-android-insecure-local-auth.md

@@ -0,0 +1,5 @@
+
+---
+category: newQuery
+---
+* Added a new query `java/android/insecure-local-authentication` for finding uses of biometric authentication APIs that do not make use of a `KeyStore`-backed key and thus may be bypassed.

java/ql/test/query-tests/security/CWE-287/InsecureLocalAuth.expected

@@ -0,0 +1,2 @@
+testFailures
+failures

java/ql/test/query-tests/security/CWE-287/InsecureLocalAuth.ql

@@ -0,0 +1,19 @@
+import java
+import TestUtilities.InlineExpectationsTest
+import semmle.code.java.dataflow.DataFlow
+import semmle.code.java.security.AndroidLocalAuthQuery
+
+module InsecureAuthTest implements TestSig {
+  string getARelevantTag() { result = "insecure-auth" }
+
+  predicate hasActualResult(Location location, string element, string tag, string value) {
+    tag = "insecure-auth" and
+    exists(AuthenticationSuccessCallback cb | not exists(cb.getAResultUse()) |
+      cb.getLocation() = location and
+      element = cb.toString() and
+      value = ""
+    )
+  }
+}
+
+import MakeTest<InsecureAuthTest>

java/ql/test/query-tests/security/CWE-287/Test.java

@@ -0,0 +1,94 @@
+import android.hardware.biometrics.BiometricPrompt;
+import android.hardware.fingerprint.FingerprintManager;
+
+class TestA {
+    public static void useKey(BiometricPrompt.CryptoObject key) {}
+
+
+    // GOOD: result is used
+    class Test1 extends BiometricPrompt.AuthenticationCallback {
+        @Override
+        public void onAuthenticationSucceeded(BiometricPrompt.AuthenticationResult result) {
+            TestA.useKey(result.getCryptoObject());
+        }
+    }
+
+    // BAD: result is not used
+    class Test2 extends BiometricPrompt.AuthenticationCallback {
+        @Override
+        public void onAuthenticationSucceeded(BiometricPrompt.AuthenticationResult result) { // $insecure-auth
+            
+        }
+    }
+
+    // BAD: result is only used in a super call
+    class Test3 extends BiometricPrompt.AuthenticationCallback {
+        @Override
+        public void onAuthenticationSucceeded(BiometricPrompt.AuthenticationResult result) { // $insecure-auth
+            super.onAuthenticationSucceeded(result);
+        }
+    }
+
+    // GOOD: result is used
+    class Test4 extends BiometricPrompt.AuthenticationCallback {
+        @Override
+        public void onAuthenticationSucceeded(BiometricPrompt.AuthenticationResult result) {
+            super.onAuthenticationSucceeded(result);
+            TestA.useKey(result.getCryptoObject());
+        }
+    }
+
+    // GOOD: result is used in a super call to a class other than the base class
+    class Test5 extends Test1 {
+        @Override
+        public void onAuthenticationSucceeded(BiometricPrompt.AuthenticationResult result) {
+            super.onAuthenticationSucceeded(result);
+        }
+    }
+}
+
+class TestB {
+    public static void useKey(FingerprintManager.CryptoObject key) {}
+
+
+    // GOOD: result is used
+    class Test1 extends FingerprintManager.AuthenticationCallback {
+        @Override
+        public void onAuthenticationSucceeded(FingerprintManager.AuthenticationResult result) {
+            TestB.useKey(result.getCryptoObject());
+        }
+    }
+
+    // BAD: result is not used
+    class Test2 extends FingerprintManager.AuthenticationCallback {
+        @Override
+        public void onAuthenticationSucceeded(FingerprintManager.AuthenticationResult result) { // $insecure-auth
+            
+        }
+    }
+
+    // BAD: result is only used in a super call
+    class Test3 extends FingerprintManager.AuthenticationCallback {
+        @Override
+        public void onAuthenticationSucceeded(FingerprintManager.AuthenticationResult result) { // $insecure-auth
+            super.onAuthenticationSucceeded(result);
+        }
+    }
+
+    // GOOD: result is used
+    class Test4 extends FingerprintManager.AuthenticationCallback {
+        @Override
+        public void onAuthenticationSucceeded(FingerprintManager.AuthenticationResult result) {
+            super.onAuthenticationSucceeded(result);
+            TestB.useKey(result.getCryptoObject());
+        }
+    }
+
+    // GOOD: result is used in a super call to a class other than the base class
+    class Test5 extends Test1 {
+        @Override
+        public void onAuthenticationSucceeded(FingerprintManager.AuthenticationResult result) {
+            super.onAuthenticationSucceeded(result);
+        }
+    }
+}

java/ql/test/query-tests/security/CWE-287/Test2.java

@@ -0,0 +1,47 @@
+import androidx.biometric.BiometricPrompt;
+
+class TestC {
+    public static void useKey(BiometricPrompt.CryptoObject key) {}
+
+
+    // GOOD: result is used
+    class Test1 extends BiometricPrompt.AuthenticationCallback {
+        @Override
+        public void onAuthenticationSucceeded(BiometricPrompt.AuthenticationResult result) {
+            TestC.useKey(result.getCryptoObject());
+        }
+    }
+
+    // BAD: result is not used
+    class Test2 extends BiometricPrompt.AuthenticationCallback {
+        @Override
+        public void onAuthenticationSucceeded(BiometricPrompt.AuthenticationResult result) { // $insecure-auth
+            
+        }
+    }
+
+    // BAD: result is only used in a super call
+    class Test3 extends BiometricPrompt.AuthenticationCallback {
+        @Override
+        public void onAuthenticationSucceeded(BiometricPrompt.AuthenticationResult result) { // $insecure-auth
+            super.onAuthenticationSucceeded(result);
+        }
+    }
+
+    // GOOD: result is used
+    class Test4 extends BiometricPrompt.AuthenticationCallback {
+        @Override
+        public void onAuthenticationSucceeded(BiometricPrompt.AuthenticationResult result) {
+            super.onAuthenticationSucceeded(result);
+            TestC.useKey(result.getCryptoObject());
+        }
+    }
+
+    // GOOD: result is used in a super call to a class other than the base class
+    class Test5 extends Test1 {
+        @Override
+        public void onAuthenticationSucceeded(BiometricPrompt.AuthenticationResult result) {
+            super.onAuthenticationSucceeded(result);
+        }
+    }
+}