Fingerprint authentication of Shopify Android app bypassed

[German]Security researchers have bypassed the biometrics feature of the Shopify Android app. It was supposed to provide merchants with secure access to their shops via a fingerprint reader. If the app is open, however, deep links can be accessed without authentication.


For blog readers who are not quite into the topic (I had to look up the exact details myself), here is some background information.

Shopify and the Android App

Shopify is a proprietary e-commerce software distributed by the Canadian company of the same name. It allows small and mid-sized retailers to create their own online stores and use tools to set up payment options or integrate with Amazon Marketplace.

App Shopify: Mobiler E-Commerce

The Google Play Store offers the Shopify: Mobiler E-Commerce app, which retailers can install free of charge from shops. The description:

Run your business wherever you are. Whether you have one or multiple Shopify stores, this app makes it easy for you to manage your orders and products, connect with staff, and track sales.

The fingerprint authentification can be circumvented

The Shopify Android app also offers the ability to login to the app with your fingerprint. Now I've found via Twitter that the app authentication with a fingerprint sensor can be bypassed.


If the app is open and someone triggers a deep link, authentication is no longer required. The linked article within the tweet and this security page have details about this flaw.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Android, Security and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *