CVE-2022-1955
Description
Session 1.13.0 on Android allows physical attackers to bypass biometric authentication via Frida hooking of the onAuthenticationSucceeded callback.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Session 1.13.0 on Android allows physical attackers to bypass biometric authentication via Frida hooking of the onAuthenticationSucceeded callback.
Vulnerability
Session 1.13.0 for Android fails to implement adequate security controls to prevent dynamic code manipulation, allowing an attacker with physical access to bypass the application's password/pin or fingerprint lock. The vulnerability lies in the biometric authentication flow: the onAuthenticationSucceeded callback is triggered upon successful system authentication, but the application logic does not verify the CryptoObject or enforce actual cryptographic validation. This makes the lock trivially bypassable by hooking the callback. The advisory [1] notes that a patch in version 1.13.4 was also bypassed, indicating the issue persists.
Exploitation
An attacker with physical access to the victim's device can exploit this by using Frida (or similar dynamic instrumentation tools) to hook the fingerprint listener. The attacker runs a Frida script that intercepts and calls onAuthenticationSucceeded directly. After pressing the recent apps button to switch context and then logging back into Session, the application unlocks without requiring valid biometric data [1]. No authentication or user interaction beyond physical access is needed.
Impact
Successful exploitation grants the attacker unauthorized access to the victim's Session account and all associated user data, including private messages and contacts. The attacker gains the same level of access as the legitimate user, bypassing the intended biometric or PIN lock. This constitutes a complete compromise of confidentiality and integrity of the app's data.
Mitigation
The Session team attempted to fix the issue in version 1.13.4, but the advisory [1] reports that the patch was bypassed. A more robust fix is proposed in pull request #897 [3], which implements KeyStore-backed fingerprint verification using CryptoObject for cryptographic binding. However, the original repository is deprecated [2]; users should migrate to the actively maintained Session Android client (see [2] for links). As of the publication date, no confirmed complete fix is publicly available, and users should exercise caution with physical device security.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Session/Sessiondescription
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The `onAuthenticationSucceeded` method relies on a boolean return value instead of using the `CryptoObject` from the callback parameter to decrypt crucial application data, allowing dynamic code manipulation to bypass authentication."
Attack vector
An attacker with physical access to the victim's unlocked Android device can bypass the Session application's password/pin/fingerprint lock. The attacker uses Frida to hook into the fingerprint listener and dynamically rewrite the implementation of the `onAuthenticationSucceeded` method [ref_id=1]. Because the method relies on a boolean return value instead of performing cryptographic verification with the `CryptoObject`, the attacker can skip the authentication step entirely and access user data [ref_id=1]. The exploit is triggered by pressing the 'recent' button (square) to open the recent apps view and then switching back to Session while the Frida hook is running [ref_id=1].
Affected code
The advisory does not specify exact file paths or function names, but identifies the vulnerability as residing in the fingerprint/biometric authentication flow of the Session Android application (package `network.loki.messenger`, version 1.13.0) [ref_id=1]. The flaw centers on the `onAuthenticationSucceeded` callback, which depends on a boolean return value rather than using the `CryptoObject` from the callback parameter to decrypt crucial data [ref_id=1].
What the fix does
The advisory states that the Session team implemented a patch in version 1.13.4, but the researcher bypassed it using the same technique because the `onAuthenticationSucceeded` method still depended on a boolean return value [ref_id=1]. The advisory recommends that the method should retrieve the encryption object (`CryptoObject`) from the callback parameter and use it to decrypt crucial data (such as a session identifier or secondary symmetric key) rather than relying on a boolean [ref_id=1]. As of version 1.13.6, no second patch had been implemented, and the advisory notes that there is currently no patch available for this vulnerability [ref_id=1].
Preconditions
- inputAttacker must have physical access to the victim's Android device
- inputThe device must be unlocked (screen on, attacker can interact with the OS)
- inputAttacker must be able to install and run Frida on the device
Reproduction
1. Install and configure Frida on the victim's Android device as described at the Frida documentation site [ref_id=1]. 2. Run the Frida command to hook into the fingerprint listener, dynamically rewriting the `onAuthenticationSucceeded` implementation to bypass the application's protection [ref_id=1]. 3. On the device, press the 'recent' button (square icon) to open the recent apps view [ref_id=1]. 4. Switch back to the Session application. Within less than a second, the application will grant access without requiring a valid fingerprint [ref_id=1].
Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- fluidattacks.com/advisories/tempest/mitrex_refsource_MISC
- github.com/oxen-io/session-android/pull/897mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.