AndroidKeystore. That is, if the user unlocked the device within the set time limits (
setUserAuthenticationValidityDurationSeconds), otherwise the device needs to be unlocked again.
FingerprintManager(deprecated in Android 9 (API level 28))
BiometricPromptclass is a significant improvement, as it allows to have a consistent UI for biometric authentication on Android and also supports more sensors than just fingerprint.
FingerprintManagerclass which only supports fingerprint sensors and provides no UI, forcing developers to build their own fingerprint UI.
FingerprintManagerclass. An app can request fingerprint authentication by instantiating a
FingerprintManagerobject and calling its
authenticatemethod. The caller registers callback methods to handle possible outcomes of the authentication process (i.e. success, failure, or error). Note that this method doesn't constitute strong proof that fingerprint authentication has actually been performed - for example, the authentication step could be patched out by an attacker, or the "success" callback could be overloaded using dynamic instrumentation.
KeyGeneratorclass. With this approach, a symmetric key is stored in the Android KeyStore and unlocked with the user's fingerprint. For example, to enable user access to a remote service, an AES key is created which encrypts the authentication token. By calling
setUserAuthenticationRequired(true)when creating the key, it is ensured that the user must re-authenticate to retrieve it. The encrypted authentication token can then be saved directly on the device (e.g. via Shared Preferences). This design is a relatively safe way to ensure the user actually entered an authorized fingerprint.
BiometricManagerAPIs, as implemented in Android 10, with full feature support back to Android 6.0 (API 23).
setInvalidatedByBiometricEnrollmentset to true. Additionally,
setUserAuthenticationValidityDurationSecondsshould be set to -1.
authenticatemethod and the
CryptoObjectis not used as part of the authenticate method, it can be bypassed by using Frida. See the "Dynamic Instrumentation" section for more details.
This section describes how to implement biometric authentication by using the
FingerprintManagerclass. Please keep in mind that this class is deprecated and the Biometric library should be used instead as a best practice. This section is just for reference, in case you come across such an implementation and need to analyze it.
FingerprintManager.authenticatecalls. The first parameter passed to this method should be a
CryptoObjectinstance which is a wrapper class for crypto objects supported by FingerprintManager. Should the parameter be set to
null, this means the fingerprint authorization is purely event-bound, likely creating a security issue.
CryptoObject. Verify the key was both created using the
KeyGeneratorclass in addition to
setUserAuthenticationRequired(true)being called during creation of the
KeyGenParameterSpecobject (see code samples below).
KeyInfoclass can be used to find out whether the key resides inside secure hardware such as a Trusted Execution Environment (TEE) or Secure Element (SE).
KeyGeneratorclass by adding
Cipherobject and initialize it with the key alias.
FingerprintManagerfirst. This involves wrapping the
FingerprintManager.CryptoObjectwhich is passed to
FingerprintManager.authenticatebefore it will be recognized.
onAuthenticationSucceeded(FingerprintManager.AuthenticationResult result)is called when the authentication succeeds. The authenticated
CryptoObjectcan then be retrieved from the result.
KeyPairGeneratorclass, and enroll the public key with the server. You can then authenticate pieces of data by signing them on the client and verifying the signature on the server. A detailed example for authenticating to remote servers using the fingerprint API can be found in the Android Developers Blog.
setInvalidatedByBiometricEnrollment(boolean invalidateKey)method to
invalidateKeyvalue is set to
true(the default), keys that are valid for fingerprint authentication are irreversibly invalidated when a new fingerprint is enrolled. This prevents an attacker from retrieving they key even if they are able to enroll an additional fingerprint.
FINGERPRINT_ERROR_LOCKOUT_PERMANENT: The user has tried too many times to unlock their device using the fingerprint reader.
FINGERPRINT_ERROR_VENDOR: A vendor-specific fingerprint reader error occurred.
CryptoObjectis not used in the
authenticatemethod of the
BiometricPromptclass. The authentication implementation relies on the callback
CryptoObjectis used, but used in an incorrect way. The detailed explanation can be found in the section "Crypto Object Exception Handling" in the blog post.