Critical Bypass Vulnerability Found in @aparajita/capacitor-biometric-auth Plugin

A penetration test has uncovered a critical security flaw in the `@aparajita/capacitor-biometric-auth` plugin (com.aparajita.capacitor.biometricauth), exposing mobile applications relying on biometric authentication to potential interception and replay attacks. The vulnerability stems from the plugin's failure to implement CryptoObject, a fundamental security mechanism that binds biometric authentication to cryptographic key operations. Without this binding, authentication success responses can be captured and replayed by attackers, effectively bypassing biometric checks entirely.

The flaw specifically affects applications deployed on devices equipped with Trusted Execution Environment (TEE) or Secure Enclave hardware. While these security domains are designed to isolate sensitive operations from the main operating system, the plugin fails to leverage their protective capabilities. Instead of requiring biometric authentication to unlock a cryptographic key—a process that inherently depends on hardware-level security guarantees—the plugin treats biometric verification as a standalone step. This architectural weakness creates an attack surface where malicious actors can intercept success responses and replay them to gain unauthorized access.

Security researchers have flagged this vulnerability under OWASP MASWE-0044 in the Mobile Application Security (MAS) guidelines. Applications using this plugin for authentication should be considered at elevated risk until the implementation is updated to properly integrate CryptoObject. Developers are advised to audit authentication flows and consider alternative biometric libraries that enforce cryptographic binding. The absence of CryptoObject fundamentally undermines the security model of biometric authentication in mobile applications, regardless of the underlying hardware's capabilities.