Merge pull request #15548 from joefarebrother/android-local-auth-keys

Java: Add query for insecurely generated keys for local authentication.

Author: joefarebrother

java/ql/lib/semmle/code/java/security/AndroidLocalAuthQuery.qll

@@ -1,6 +1,7 @@
 /** Definitions for the insecure local authentication query. */
 
 import java
+private import semmle.code.java.dataflow.DataFlow
 
 /** A base class that is used as a callback for biometric authentication. */
 private class AuthenticationCallbackClass extends Class {
@@ -40,3 +41,24 @@ class AuthenticationSuccessCallback extends Method {
     not result = this.getASuperResultUse()
   }
 }
+
+/** A call that sets a parameter for key generation that is insecure for use with biometric authentication. */
+class InsecureBiometricKeyParamCall extends MethodCall {
+  InsecureBiometricKeyParamCall() {
+    exists(string name, CompileTimeConstantExpr val |
+      this.getMethod()
+          .hasQualifiedName("android.security.keystore", "KeyGenParameterSpec$Builder", name) and
+      DataFlow::localExprFlow(val, this.getArgument(0)) and
+      (
+        name = ["setUserAuthenticationRequired", "setInvalidatedByBiometricEnrollment"] and
+        val.getBooleanValue() = false
+        or
+        name = "setUserAuthenticationValidityDurationSeconds" and
+        val.getIntValue() != -1
+      )
+    )
+  }
+}
+
+/** Holds if the application contains an instance of a key being used for local biometric authentication. */
+predicate usesLocalAuth() { exists(AuthenticationSuccessCallback cb | exists(cb.getAResultUse())) }

java/ql/src/Security/CWE/CWE-287/AndroidInsecureKeys.qhelp

@@ -0,0 +1,43 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>
+Biometric authentication, such as fingerprint recognition, can be used alongside cryptographic keys stored in the Android <code>KeyStore</code> to protect sensitive parts of the application. However, 
+when a key generated for this purpose has certain parameters set insecurely, an attacker with physical access can bypass the 
+authentication check using application hooking tools such as Frida.
+</p>
+</overview>
+
+<recommendation>
+<p>
+When generating a key for use with biometric authentication, ensure that the following parameters of <code>KeyGenParameterSpec.Builder</code> are set:
+</p>
+<ul>
+<li><code>setUserAuthenticationRequired</code> should be set to <code>true</code>; otherwise, the key can be used without user authentication.</li>
+<li><code>setInvalidatedByBiometricEnrollment</code> should be set to <code>true</code> (the default); otherwise, an attacker can use the key by enrolling additional biometrics on the device.</li>
+<li><code>setUserAuthenticationValidityDurationSeconds</code>, if used, should be set to <code>-1</code>; otherwise, non-biometric (less secure) credentials can be used to access the key. We recommend using <code>setUserAuthenticationParameters</code> instead to explicitly set both the timeout and the types of credentials that may be used.</li>
+</ul>
+
+</recommendation>
+
+<example>
+<p>The following example demonstrates a key that is configured with secure paramaters:</p>
+<sample src="AndroidInsecureKeysGood.java"/>
+
+<p>In each of the following cases, a parameter is set insecurely:</p>
+<sample src="AndroidInsecureKeysBad.java"/>
+</example>
+
+<references>
+<li>
+WithSecure: <a href="https://labs.withsecure.com/publications/how-secure-is-your-android-keystore-authentication">How Secure is your Android Keystore Authentication?</a>.
+</li>
+<li>
+Android Developers: <a href="https://developer.android.com/reference/android/security/keystore/KeyGenParameterSpec.Builder">KeyGenParameterSpec.Builder</a>.
+</li>
+
+</references>
+</qhelp>

java/ql/src/Security/CWE/CWE-287/AndroidInsecureKeys.ql

@@ -0,0 +1,18 @@
+/**
+ * @name Insecurely generated keys for local authentication
+ * @description Generation of keys with insecure parameters for local biometric authentication can allow attackers with physical access to bypass authentication checks.
+ * @kind problem
+ * @problem.severity warning
+ * @security-severity 4.4
+ * @precision medium
+ * @id java/android/insecure-local-key-gen
+ * @tags security
+ *       external/cwe/cwe-287
+ */
+
+import java
+import semmle.code.java.security.AndroidLocalAuthQuery
+
+from InsecureBiometricKeyParamCall call
+where usesLocalAuth()
+select call, "This key is not secure for biometric authentication."

java/ql/src/Security/CWE/CWE-287/AndroidInsecureKeysBad.java

@@ -0,0 +1,47 @@
+private void generateSecretKey() {
+    KeyGenParameterSpec keyGenParameterSpec = new KeyGenParameterSpec.Builder(
+        "MySecretKey",
+        KeyProperties.PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT)
+        .setBlockModes(KeyProperties.BLOCK_MODE_CBC)
+        .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_PKCS7)
+        // BAD: User authentication is not required to use this key.
+        .setUserAuthenticationRequired(false)
+        .build();
+    KeyGenerator keyGenerator = KeyGenerator.getInstance(
+            KeyProperties.KEY_ALGORITHM_AES, "AndroidKeyStore");
+    keyGenerator.init(keyGenParameterSpec);
+    keyGenerator.generateKey();
+}
+
+private void generateSecretKey() {
+    KeyGenParameterSpec keyGenParameterSpec = new KeyGenParameterSpec.Builder(
+        "MySecretKey",
+        KeyProperties.PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT)
+        .setBlockModes(KeyProperties.BLOCK_MODE_CBC)
+        .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_PKCS7)
+        .setUserAuthenticationRequired(true)
+        // BAD: An attacker can access this key by enrolling additional biometrics.
+        .setInvalidatedByBiometricEnrollment(false)
+        .build();
+    KeyGenerator keyGenerator = KeyGenerator.getInstance(
+            KeyProperties.KEY_ALGORITHM_AES, "AndroidKeyStore");
+    keyGenerator.init(keyGenParameterSpec);
+    keyGenerator.generateKey();
+}
+
+private void generateSecretKey() {
+    KeyGenParameterSpec keyGenParameterSpec = new KeyGenParameterSpec.Builder(
+        "MySecretKey",
+        KeyProperties.PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT)
+        .setBlockModes(KeyProperties.BLOCK_MODE_CBC)
+        .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_PKCS7)
+        .setUserAuthenticationRequired(true)
+        .setInvalidatedByBiometricEnrollment(true)
+        // BAD: This key can be accessed using non-biometric credentials. 
+        .setUserAuthenticationValidityDurationSeconds(30)
+        .build();
+    KeyGenerator keyGenerator = KeyGenerator.getInstance(
+            KeyProperties.KEY_ALGORITHM_AES, "AndroidKeyStore");
+    keyGenerator.init(keyGenParameterSpec);
+    keyGenerator.generateKey();
+}

java/ql/src/Security/CWE/CWE-287/AndroidInsecureKeysGood.java

@@ -0,0 +1,16 @@
+private void generateSecretKey() {
+    KeyGenParameterSpec keyGenParameterSpec = new KeyGenParameterSpec.Builder(
+        "MySecretKey",
+        KeyProperties.PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT)
+        .setBlockModes(KeyProperties.BLOCK_MODE_CBC)
+        .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_PKCS7)
+        // GOOD: Secure parameters are used to generate a key for biometric authentication.
+        .setUserAuthenticationRequired(true)
+        .setInvalidatedByBiometricEnrollment(true)
+        .setUserAuthenticationParameters(0, KeyProperties.AUTH_BIOMETRIC_STRONG)
+        .build();
+    KeyGenerator keyGenerator = KeyGenerator.getInstance(
+            KeyProperties.KEY_ALGORITHM_AES, "AndroidKeyStore");
+    keyGenerator.init(keyGenParameterSpec);
+    keyGenerator.generateKey();
+}

java/ql/src/change-notes/2024-02-12-android-insecure-keys.md

@@ -0,0 +1,4 @@
+---
+category: newQuery
+---
+* Added a new query `java/android/insecure-local-key-gen` for finding instances of keys generated for biometric authentication in an insecure way.

java/ql/test/query-tests/security/CWE-287/InsecureLocalAuth.expected renamed to java/ql/test/query-tests/security/CWE-287/InsecureKeys/Test1/InsecureKeys.expected

@@ -0,0 +1,19 @@
+import java
+import TestUtilities.InlineExpectationsTest
+import semmle.code.java.dataflow.DataFlow
+import semmle.code.java.security.AndroidLocalAuthQuery
+
+module InsecureKeysTest implements TestSig {
+  string getARelevantTag() { result = "insecure-key" }
+
+  predicate hasActualResult(Location location, string element, string tag, string value) {
+    tag = "insecure-key" and
+    exists(InsecureBiometricKeyParamCall call | usesLocalAuth() |
+      call.getLocation() = location and
+      element = call.toString() and
+      value = ""
+    )
+  }
+}
+
+import MakeTest<InsecureKeysTest>

java/ql/test/query-tests/security/CWE-287/InsecureKeys/Test1/InsecureKeys.ql

@@ -0,0 +1,39 @@
+import android.security.keystore.KeyGenParameterSpec;
+import android.hardware.biometrics.BiometricPrompt;
+import android.security.keystore.KeyProperties;
+import javax.crypto.KeyGenerator;
+
+class Test {
+    void test() {
+        KeyGenParameterSpec.Builder builder = new KeyGenParameterSpec.Builder("MySecretKey", KeyProperties.PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT);
+        builder.setUserAuthenticationRequired(false); // $insecure-key
+        builder.setInvalidatedByBiometricEnrollment(false); // $insecure-key
+        builder.setUserAuthenticationValidityDurationSeconds(30); // $insecure-key
+    }
+
+    private void generateSecretKey() throws Exception {
+        KeyGenParameterSpec keyGenParameterSpec = new KeyGenParameterSpec.Builder(
+            "MySecretKey",
+            KeyProperties.PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT)
+            .setBlockModes(KeyProperties.BLOCK_MODE_CBC)
+            .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_PKCS7)
+            // GOOD: Secure parameters are used to generate a key for biometric authentication.
+            .setUserAuthenticationRequired(true)
+            .setInvalidatedByBiometricEnrollment(true)
+            .setUserAuthenticationParameters(0, KeyProperties.AUTH_BIOMETRIC_STRONG)
+            .build();
+        KeyGenerator keyGenerator = KeyGenerator.getInstance(
+                KeyProperties.KEY_ALGORITHM_AES, "AndroidKeyStore");
+        keyGenerator.init(keyGenParameterSpec);
+        keyGenerator.generateKey();
+    }
+}
+
+class Callback extends BiometricPrompt.AuthenticationCallback {
+    public static void useKey(BiometricPrompt.CryptoObject key) {}
+
+    @Override
+    public void onAuthenticationSucceeded(BiometricPrompt.AuthenticationResult result) {
+        useKey(result.getCryptoObject());
+    }
+}

java/ql/test/query-tests/security/CWE-287/InsecureKeys/Test1/Test.java

@@ -0,0 +1 @@
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/google-android-9.0.0

java/ql/test/query-tests/security/CWE-287/InsecureKeys/Test1/options

@@ -0,0 +1,2 @@
+testFailures
+failures

java/ql/test/query-tests/security/CWE-287/InsecureKeys/Test2/InsecureKeys.expected

@@ -0,0 +1,19 @@
+import java
+import TestUtilities.InlineExpectationsTest
+import semmle.code.java.dataflow.DataFlow
+import semmle.code.java.security.AndroidLocalAuthQuery
+
+module InsecureKeysTest implements TestSig {
+  string getARelevantTag() { result = "insecure-key" }
+
+  predicate hasActualResult(Location location, string element, string tag, string value) {
+    tag = "insecure-key" and
+    exists(InsecureBiometricKeyParamCall call | usesLocalAuth() |
+      call.getLocation() = location and
+      element = call.toString() and
+      value = ""
+    )
+  }
+}
+
+import MakeTest<InsecureKeysTest>

java/ql/test/query-tests/security/CWE-287/InsecureKeys/Test2/InsecureKeys.ql

@@ -0,0 +1,13 @@
+import android.security.keystore.KeyGenParameterSpec;
+import android.hardware.biometrics.BiometricPrompt;
+import android.security.keystore.KeyProperties;
+
+class Test {
+    void test() {
+        KeyGenParameterSpec.Builder builder = new KeyGenParameterSpec.Builder("MySecretKey", KeyProperties.PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT);
+        // No alert as there is no use of biometric authentication in this application.
+        builder.setUserAuthenticationRequired(false); 
+        builder.setInvalidatedByBiometricEnrollment(false); 
+        builder.setUserAuthenticationValidityDurationSeconds(30); 
+    }
+}

java/ql/test/query-tests/security/CWE-287/InsecureKeys/Test2/Test.java

@@ -0,0 +1 @@
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/google-android-9.0.0

java/ql/test/query-tests/security/CWE-287/InsecureKeys/Test2/options

@@ -0,0 +1,2 @@
+testFailures
+failures

java/ql/test/query-tests/security/CWE-287/InsecureLocalAuth/InsecureLocalAuth.expected

@@ -1 +1 @@
-//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/google-android-9.0.0
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/google-android-9.0.0