[German]Security researchers have bypassed the biometrics feature of the Shopify Android app. It was supposed to provide merchants with secure access to their shops via a fingerprint reader. If the app is open, however, deep links can be accessed without authentication.
Advertising
For blog readers who are not quite into the topic (I had to look up the exact details myself), here is some background information.
Shopify and the Android App
Shopify is a proprietary e-commerce software distributed by the Canadian company of the same name. It allows small and mid-sized retailers to create their own online stores and use tools to set up payment options or integrate with Amazon Marketplace.
The Google Play Store offers the Shopify: Mobiler E-Commerce app, which retailers can install free of charge from shops. The description:
Run your business wherever you are. Whether you have one or multiple Shopify stores, this app makes it easy for you to manage your orders and products, connect with staff, and track sales.
The fingerprint authentification can be circumvented
The Shopify Android app also offers the ability to login to the app with your fingerprint. Now I've found via Twitter that the app authentication with a fingerprint sensor can be bypassed.
Advertising
Shopify: Bypass of biometrics security functionality is possible in Android application (https://t.co/7Kwi2JcCzp)
##vulnerability #exploit #cybersecurity #pentest
https://t.co/cmxs9ZZolr— team_security (@teamsecurity3) September 29, 2019
If the app is open and someone triggers a deep link, authentication is no longer required. The linked article within the tweet and this security page have details about this flaw.
