Following this tutorial on fingerprint authentication I should check for KeyguardManager.isKeyguardSecure() before letting users authenticate with fingerprint.
Why should I do this?
Most device manufacturers require a secure lock screen type (PIN, password, pattern) in order to use fingerprints. When changing the lock screen type to an insecure one (None, Swipe or other mode which does not authenticate the user) the fingerprints are removed.
On Samsung devices this is handled differently, by providing the user the possibility to not delete the fingerprints (and secure them with an additional password). Thereby, the user can still use the fingerprints in applications.
In case you want to allow those users, with a Samsung device, to use fingerprint authentication (in your app) even though they don't have set a secure lock screen type, you don't need to check if KeyguardManager.isKeyguardSecure() returns true.
Later in the code, the tutorial uses setUserAuthenticationRequired(true), which won't work if there is no secure keyguard.
Related
I am a beginner in android development.I want to create an application having Finger authentication.I want to register multiple users(50) finger prints using finger sensor of phone.Also i want to authenticate it when user logins.Can anyone help us?
FingeprintManager only has these 3 features:
authenticate : for authenticating user
hasEnrolledFingerprints : Determine if there is at least one fingerprint enrolled.
isHardwareDetected : Determine if fingerprint hardware is present and functional.
you can check FingerPrintManager docs here :
https://developer.android.com/reference/android/hardware/fingerprint/FingerprintManager.html
As per Nexus FAQs
Your fingerprint data is stored securely and never leaves your Pixel
or Nexus phone. Your fingerprint data isn't shared with Google or any
apps on your device. Apps are notified only whether your fingerprint
was verified.
which explains very well that you can use fingerprints for verification purpose only. Its just an alternative to any app lock available in marketplace.
I've tried to generate a key pair using the Google sample (BasicAndroidKeyStore). The only modification I made is setting the setUserAuthenticationRequired(true) in the KeyGenParameterSpec.Builder.
I assume it would work fine on a device with the embedded Fingerprint scanner, but running it on OnePlus One (working under Android 6.0), I get the following exception:
At least one fingerprint must be enrolled to create keys requiring user authentication for every use
The phone does have the lock screen set to use the pattern, but apparently it requires fingerprint for the authentication. Any idea how to use API 23 keystore without having the actual Fingerprint reader?
On modern Android devices, the fingerprint scanner is directly linked with the hardware security module.
As a result, there is now a meaningful way to provide isolated encryption that's protected - even on a rooted phone.
Check out these guidelines:
https://developer.android.com/training/articles/keystore#HardwareSecurityModule
An attacker would have to trick a user into swiping their fingerprint in order to unlock stuff... and that's only one decryption or signature per swipe.
This is "pretty good" security, but because of the API limitations and restrictions (notably the lack of ECDH!), most apps that claim to use Android's keychain system don't use the StrongBox. Even those that do won't warn the user when it's not available.
As a result, a jailbreak or zero day can compromise most app keys.
Please consider detecting enrollment, and warning your user that their data is more vulnerable on a device that does not have an enrolled hardware biometry device.
I have also faced same issue with moto devices.
As for now i have done this code. To check before using Fingerprint authentication.
public boolean isFingerprintAuthAvailable() {
//FingerprintManager mFingerprintManager;
return mFingerprintManager.isHardwareDetected()
&& mFingerprintManager.hasEnrolledFingerprints();
}
For more check this sample from which i have implemented. Hope will help you...
I'm implementing fingerprint authentication in an existing Android application making use of FingerprintManagerCompat. I used a tutorial as guidance that can be found here.
(android.support.v4.content.ContextCompat)
As FingerprintManagerCompat makes use of saved fingerprints on the mobile device, any fingerprint on the device can be used to login to the application.
Is it possible to see which one of the fingerprints on the device were used to unlock and if so is there a method to get all saved fingerprints that are available on the device?
I looked around for information on if this is possible and I cant seem to find anything. I have found that Samsung Pass SDK does have functionality to see what fingerprint is used but the product owner does not want the me to use Samsung's Pass SDK as his penetration testing team found that it is not very secure.
Is there a method to get all saved fingerprints that are available on the device?
No.
Is it possible to see which one of the fingerprints on the device were used to unlock
No.
However, there are some limitations to which fingerprints can be used to authenticate within your app. The result of a fingerprint authentication is that you make a cryptographic key available to perform some cryptographic operation (e.g. creating a digital signature). So when you add a user in your app you'd typically create a cryptographic key that you associate with that user. Then later on when the user wants to perform some action that requires him/her to be authenticated, you do the fingerprint authentication, which gives you access to the key, which use can use to do whatever it is that you need to do to verify that the user should be allowed to perform the action.
What happens when a new fingerprint is enrolled is that any existing cryptographic keys that require fingerprint authentication will be permanently invalidated.
That leaves us with the scenario where there are multiple enrolled fingerprint before the user is added in your app. I'm not aware of any way to do anything about this with the current APIs. So the best you can do might be to add some step in your fingerprint-enabling UI flow where the user is asked to verify that only they have enrolled a fingerprint on the device (e.g. by checking a checkbox or clicking a button).
I have a Samsumg Galaxy Tab 2 which runs Android 4.2 but Samsumg's rom removed multi user feature. So, as I can not test this feature, I´d like to ask some questions about it:
Is it possible create several users and set a different pin code (or pattern) for each one to unlock the screen (or for switching active user)?
When you store a personal certificate (.p12) in your device, if you dont have any security control activated (pin, pattern, whatever), Android enforces you to set it. Does it apply to all users?
An user can only use his imported certificates? or they will be available to any user?
My propouse is to have a tablet with multiple users. It should be secured in order one user can only access its account and he can only use its own personal certificate.
Thank you.
Yes It is possible to create different security lock for each user
Only owner (Primary user) can install the Certificates. Certificates are available to all users. Secondary users can not install certificates.
Hope This Helps!
Having a random key to encrypt local credentials through AES, I'm following the below tutorial to try to store securely that key and then be able to decrypt later on:
nelenkov.blogspot.co.uk storing applicationsecrets in androids
This tutorial explains how access to the system keystore and store your passwords in it.
The issue I'm facing it's focused in the call to UNLOCK (android.credentials.UNLOCK) the KeyStore. Devices (at the moment with API below 14) that don't have KeyStore initialized, they are showing a dialog requesting a 8 digits password.
The tutorial works fine however showing this dialog even do being only once, it's going to bother most of the users.
are there any way to skip this dialog?
I would be even happier if someone described a better way to keep locally a Key.
KeyStore can appear locked not only on pre-ICS devices. The simplest way to get KeyStore locked is:
Initialize KeyStore by setting KeyGuard (pattern, pin, or
password on the Screen Lock)
Add keys or whatever you store in the KeyStore
Go to Settings > Security and change Screen Lock to something "not
secure", for example, Slide.
Reboot your device.
After the device is booted, KeyStore will be LOCKED. com.android.credentials.UNLOCK intent will start com.android.settings.CredentialStorage activity, which, in turn, will show UnlockDialog, prompting for a password.
* KeyStore: LOCKED
* KeyGuard: OFF/ON
* Action: old unlock dialog
* Notes: assume old password, need to use it to unlock.
* if unlock, ensure key guard before install.
* if reset, treat as UNINITALIZED/OFF
KeyStore gets reset after 5 attempts to enter incorrect password. But resetting KeyStore actually doesn't turn it off or uninitialize. KeyStore remains locked and the only way to uninitialize it seems to call for com.android.credentials.RESET. But this will reset both KeyStore and KeyChain (user installed certificates).
If you want to reset KeyStore and KeyChain silently, without user confirmation, you can do it by binding to IKeyChainService and calling its reset() method. But I'd not recommend doing this. A better solution could be to display some notification message asking user to set Screen Lock manually
The 8 digit password is enforced by the your custom device firmware or a device administrator. There is no such requirement on most devices. If want to store something securely, you have to have a PIN code, Android uses it to derive the encryption key. Other options are to derive a key from your input yourself: you get to control the timing of dialogs and caching of keys, but it's the same process. Finally, you can just generate a master key and store it as a private file, other apps won't be able to read it, so you'll be fine on non-rooted devices. This is the approach recommended on the Android Developers Blog:
http://android-developers.blogspot.jp/2013/02/using-cryptography-to-store-credentials.html