cap-go/capacitor-native-biometric Authentication Bypass
The cap-go/capacitor-native-biometric library was found to be subject to an authentication bypass as the current implementation of the onAuthenticationSucceeded() does not appear to handle a CryptoObject[^HackTricks1] [^SecuringBiometricAuthentication] as seen in the following code block starting from line 88 in AuthActivity.java: @Override public void onAuthenticationSucceeded( @NonNull BiometricPrompt.AuthenticationResult result ) { super.onAuthenticationSucceeded(result); finishActivity("success"); } As the current implementation only checks whether onAuthenticationSucceeded() was called and does not handle a CryptoObject the biometric …