Disclaimer: First of all I'm not an Android developer but a security professional.
My company wants to implement fingerprint authentication in its Android app and I'm wondering if there is any way to log the failed authentication attempts in the application?
According to my current understanding after the application calls the fingerprint authentication API of the OS it does not see how many times the user failed to provide a valid fingerprint, it only waits for a callback containing the key extracted from the keystore in case of successful authentication or a "fingerprint authentication canceled" message if the user decides not to use the fingerprint authentication and fall back to PIN authentication instead (let's suppose that this is implemented).
According to the documentation when you launch the FingerprintManager, you provide a AuthenticationCallback listener.
This listener contain a method onAuthenticationFailed() that will be called every time a correct fingerprint has been detected and that given fingerprint is not registered in the device.
This callback is available since the API 23 in the native Android system and in the compatibility libraries
On this callback we should be able to do whatever you want.
But this may differ if you'r using any third-party library.
I hope that, this will help you.
Related
I have a use case that requires the user to confirm device credential, and the createConfirmDeviceCredentialIntent method in KeyguardManager perfectly meets my need. However, this method was added since API 21.(reference link) So how can I achieve the same functionality before Android 5.0? I also want to support versions like Android 4.X.
Thanks!
Before 21 level this is certainly not possible on non-rooted device and there is no alternative with regular permissions.
If it is ok to require extra admin permissions, it is probably possible to emulate credential confirmation very loosely, with much more effort, by implementing DeviceAdminReceiver.onPasswordSucceeded. Lock the screen, when password succeeded perform the required action. This may turn out to be relatively complex because the action is not always received (only if status has changed), need to keep last success, communicate with receiver, etc.
As a side note, double check the use case and your design, in most cases when createConfirmDeviceCredentialIntent is used it is actually not required and other design choices may eliminate the need for it.
It was better to provide details of what exactly you are trying to protect. If it is a scenario for accidental access to the device by an unauthorized person and a permanent token is generated, say, from some oauth service, it may be reasonable either to reauthorize through the same service login flow or to store some hmac of original credentials along with token then prompt and re-validate credentials instead of prompting for device credentials. Alternatively, if that is enough for use case, you can use google login to authorize access to your app/token and verify google user is the same for the stored token.
The best answer I have seen for this situation is described in a blog post:
Android Secrets
However, it recreates system classes that are private and calls AOSP code that is not public. My bounty is for a better answer that would not require explicit Class naming inside the project. Perhaps Smart Lock or another awesome security library can be used for the backward compatibility I require.
I'm implementing fingerprint authentication in an existing Android application making use of FingerprintManagerCompat. I used a tutorial as guidance that can be found here.
(android.support.v4.content.ContextCompat)
As FingerprintManagerCompat makes use of saved fingerprints on the mobile device, any fingerprint on the device can be used to login to the application.
Is it possible to see which one of the fingerprints on the device were used to unlock and if so is there a method to get all saved fingerprints that are available on the device?
I looked around for information on if this is possible and I cant seem to find anything. I have found that Samsung Pass SDK does have functionality to see what fingerprint is used but the product owner does not want the me to use Samsung's Pass SDK as his penetration testing team found that it is not very secure.
Is there a method to get all saved fingerprints that are available on the device?
No.
Is it possible to see which one of the fingerprints on the device were used to unlock
No.
However, there are some limitations to which fingerprints can be used to authenticate within your app. The result of a fingerprint authentication is that you make a cryptographic key available to perform some cryptographic operation (e.g. creating a digital signature). So when you add a user in your app you'd typically create a cryptographic key that you associate with that user. Then later on when the user wants to perform some action that requires him/her to be authenticated, you do the fingerprint authentication, which gives you access to the key, which use can use to do whatever it is that you need to do to verify that the user should be allowed to perform the action.
What happens when a new fingerprint is enrolled is that any existing cryptographic keys that require fingerprint authentication will be permanently invalidated.
That leaves us with the scenario where there are multiple enrolled fingerprint before the user is added in your app. I'm not aware of any way to do anything about this with the current APIs. So the best you can do might be to add some step in your fingerprint-enabling UI flow where the user is asked to verify that only they have enrolled a fingerprint on the device (e.g. by checking a checkbox or clicking a button).
I'm creating an application that requires a good level of security. I'm wondering if there is an API that I can check to see if a current user has 2-Step Verification on their Google Account that they are attempting to log in with. If they do, then I can use that or use a difference service.
I haven't been able to find anything so far.
I am new to fingerprint authentication in smartphones. As we know Samsung S5 currently supports fingerprint scanner. Is it possible to develop a custom application that can use the scanner to authenticate a user? I just need to know the identity of the user and if he has been authenticated correctly. My app can then take it from there and integrate with backend.
Google has now announced a generic fingerprint API for Android that can be utilised by any custom apps for authorisation and not just the native Google apps. It looks like the future is just getting brighter!
Taken from the Android Developers page linked below:
"To authenticate users via fingerprint scan, get an instance of the new FingerprintManager class and call the authenticate() method."
However you must also include this permission:
<uses-permission android:name="android.permission.USE_FINGERPRINT" />
If you want to find out more information then visit this URL and scroll down to Authentication:
https://developer.android.com/about/versions/marshmallow/android-6.0.html#fingerprint-authentication
Samsung provides Pass API to register, request and validate fingerprints. Its in here SAMSUNG FINGER PRINT API. There is a sample program too.
Fingerprint API preview for Android M is found here with Sample App. As of this writing, Android Compatibility Definition for Android M hasn't been published. So, if fingerprint sensor, the key hardware component of the fingerprint framework, is left as a "SHOULD" requirement (most likely to be true), then OEMs decide either to incorporate the sensor or not. But, since Android Pay is strongly ties to finger print framework, this may drive OEMs to include the fingerprint sensor.
I found this in google samples which demonstrates how you can use registered fingerprints in your app to authenticate the user before proceeding some actions such as purchasing an item.
First you need to create a symmetric key in the Android Key Store using KeyGenerator which can be only be used after the user has authenticated with fingerprint and pass a KeyGenParameterSpec.
By setting KeyGenParameterSpec.Builder.setUserAuthenticationRequired
to true, you can permit the use of the key only after the user
authenticate it including when authenticated with the user's
fingerprint.
Then start listening to a fingerprint on the fingerprint sensor by
calling FingerprintManager.authenticate with a Cipher initialized with
the symmetric key created. Or alternatively you can fall back to
server-side verified password as an authenticator.
Once the fingerprint (or password) is verified, the
FingerprintManager.AuthenticationCallback#onAuthenticationSucceeded()
callback is called.
It requires SDK V23. AFAIK its not useful for Samsung S5 but it might help others to use this feature.
I'm making a Cordova 4.0 Android app that will be sold in Google Play, and I would like to prevent illegal use of it (for example preventing someone to extract the APK from the system and re-distributing it).
One theoretical way of doing this would be by checking that when the app is launched by the user, he did actually download it from Google Play (versus being it sideloaded). I'm not even sure if this is possible or if there's an alternate way of doing something like this.
One way that works in other cases is to use require some sort of login when accessing the app, but in this case I can't do that. Any advice would be appreciated!
Google offers a way to implement validation / licensing:
http://developer.android.com/google/play/licensing/index.html
Take a look if this is what you need!
One suggestion would be for those apps which are get connected to a server to fetch some data.
App verification token
Generate an encoded 64-bit long token and store on both device & server as well. This will be a unique token per app
Whenever app tries to connect to server, it sends the device token details. Server needs to verify it before fulfilling its request.
On specific events, server can generate a new token for a device.
Same way, device token can be mapped to a user or an app on the server side.
Token could carry some app related information, for instance.
first 4 or 6 digits represent app size
second block of digits could represent user specific or device or some other details
Or another block could hold app contents modification date
In case of any change, server could verify the app size, last app contents modification dates, etc.
Generally it is recommended to uglify, obfuscate and minimize app resources before submission.
You can use the package manager class to determine the source of an app (only google or amazon currently detected)
You can similarly use google analytics which gives same information.
This is pretty neat since Android stores the source of every package, allowing apps to know where they came from, to prevent piracy and sideloading.
Great if you always publish to google or amazon. Useless if you sideload your app.