I’ve found a bug / few bugs on the Android app. These may pose security flaws, allowing users to interact with the app even when it is meant to be locked with biometric authentication.
Platform: Android
OS Version:
Network type: WiFi (doesn’t matter for this bug)
Issue type: Bug
App version: 1.0 (Build (445))
xxdk version: 4.0.0
git version: 1144194c
Reproduce the bug:
- Enable biometric authentication in settings. After using the fingerprint scanner, a message box appears. The message box contains no message. Just an “Ok” button.
- Now, navigate away from the app. Navigate back to the app again. Now the screen will consist of the solid blue background, a box in the middle of the screen prompting for a fingerprint to unlock, and that same message box is still there on the screen, visible, even though the app is supposed to be locked. This might mean that message boxes are visible on top of the blue solid color and might be visible even when the app is supposed to be locked.
- Now, press “cancel” on the fingerprint prompt. The message box is still there, and even has focus! In fact, I can press the “Ok” button. This might mean that users can interact with meaningful message boxes that prompt the user with buttons to change settings etc, even while the app is locked.
- Now, press “Ok” on the message box. The app is unlocked! I never gave my fingerprint to unlock it!