I've been reading documentation that Android and IOS's fingerprint scanning API stores the user's encrypted fingerprint locally. Is it possible to build an application that captures the user's fingerprint, encrypt it like a password and store it in the cloud?
If this isn't possible, are there any suggested workarounds people have explored in the past?
Thanks.
No, you can't get this info out of the device. All you're able to do is validate whether the fingerprint provided by the user matches one that's enrolled in the device. It's basically binary. The finger is recognized or not.
Typically what you want to do is store some kind of generated token in Keychain or other secure storage; after the user locally authenticates with their fingerprint, you use that stored token to authenticate the user with your server.
Related
I started to writing my first Android App.
I've tried to create a simple system which will allow user to get info, if he will authenticate with fingerprint.
I wrote fingerprint auth system to get confirmation if user is registered in the phone, but my question is: Is there any option to get "hash" of the fingerprint and store it for ex. in database to check if user should have access to the app?
I mean:
Database key: 123123123123ASDASDASDASD
Fingerprint key: 123123123123ASDASDASDASD
User has access to the app.
If read fingerprint key not equals stored in database, user doesn't have access to the app.
Is this even possile? - is there any other option to create system like above?
By DB, are you talking a local DB or a remote one? If remote- that's a horrible and insecure idea. You should never use a fingerprint to authorize someone on a remote device- all I need to do is get a copy of someone's fingerprint, pretend its mine, and send it as the hash to gain access. Fingerprint capture and authentication needs to be done on the same device.
If local its still a bad idea. All the functionality you need is built into the fingerprint and account APIs. Use them. Don't store people's private biodata in unsecured storage (a db is unsecured storage).
Is there an equivalent to iOS's Keychain on Android?
My understanding of the Preferences API is that it is not encrypted. For my application it doesn't matter whether these credentials are persisted across devices (i.e. a different use-case to iPhone-like Keychain in Android?)
I also looked at the KeyStore API but it seems to leave the actual storage of user credentials up to the application developer.
Short answer, there isn't one. But you can expect the filesystem to be secure.
Each app operates under a different user, and the filesystem used to store app data is secured by normal UNIX user permissions. So each app's file access is sandboxed by default. The filesystem also may be encrypted.
This page from the developer's site explains it better: http://developer.android.com/guide/topics/security/security.html
Actually there is:
By integrating Smart Lock for Passwords into your Android app, you can
automatically sign users in to your app using the credentials they
have saved. Users can save both username-password credentials and
federated identity provider credentials.
Integrate Smart Lock for Passwords into your app by using the
Credentials API to retrieve saved credentials on sign-in. Use
successfully retrieved credentials to sign the user in, or use the
Credentials API to rapidly on-board new users by partially completing
your app's sign in or sign up form. Prompt users after sign-in or
sign-up to store their credentials for future automatic
authentication.
https://developers.google.com/identity/smartlock-passwords/android/
Expanding upon #DJPlayer's answer:
Some relevant articles. The third includes a github app that demonstrates using the keystore provider to generate keys and then encrypt strings.
Android Keystore System
Where is the best place to store a password in your Android app?
How to use the Android Keystore to store passwords and other sensitive information
Also see Android Storage Options for ways to store the encrypted password - my recommendation is Shared Preferences.
Note that according to the second article with root access and a bit of knowledge of how your app uses the keystore (which might be obtainable from decompiling your apk), it's possible to hijack the private key and use it to decrypt encrypted material (ex: the persisted password)
http://developer.android.com/reference/android/security/KeyChain.html
Keychain for OS 4.0
In my application, upon user successful authentication using OAuth I need to store the access token returned by the REST API. I was thinking of using the keystore to store this token for further use in the application. But so far I havent seen an implementation which stores already generated keys using android keystore APIs. Is there any example or code snippet which stores already generated tokens.
Also if I use keystore to store the access tokens, can the rooted phone users gain access to these tokens?
Thanks.
The following blog post provides a very good explanation on how to go about doing this.
http://nelenkov.blogspot.com/2012/05/storing-application-secrets-in-androids.html
Also it should not matter if a rooted phone user can gain access to these tokens if they are encrypted. Fortunately, Android's system keystore daemon encrypts keys using AES.
According to this website, it says there is a hashed value for fingerprints. Is there a way to access this hashed value?
http://www.engadget.com/2013/09/22/iphone-5s-fingerprint-sensor-gets-completely-misunderstood/
What about Android?
Thanks for help in advance
Fingerprint data is encrypted and protected with a key available only
to the Secure Enclave. Fingerprint data is used only by the Secure
Enclave to verify that your fingerprint matches the enrolled
fingerprint data. The Secure Enclave is walled off from the rest of
the chip and the rest of iOS. Therefore, iOS and other apps never
access your fingerprint data, it's never stored on Apple servers, and
it's never backed up to iCloud or anywhere else. Only Touch ID uses
it, and it can't be used to match against other fingerprint databases.
https://support.apple.com/en-us/HT204587
Is there an equivalent to iOS's Keychain on Android?
My understanding of the Preferences API is that it is not encrypted. For my application it doesn't matter whether these credentials are persisted across devices (i.e. a different use-case to iPhone-like Keychain in Android?)
I also looked at the KeyStore API but it seems to leave the actual storage of user credentials up to the application developer.
Short answer, there isn't one. But you can expect the filesystem to be secure.
Each app operates under a different user, and the filesystem used to store app data is secured by normal UNIX user permissions. So each app's file access is sandboxed by default. The filesystem also may be encrypted.
This page from the developer's site explains it better: http://developer.android.com/guide/topics/security/security.html
Actually there is:
By integrating Smart Lock for Passwords into your Android app, you can
automatically sign users in to your app using the credentials they
have saved. Users can save both username-password credentials and
federated identity provider credentials.
Integrate Smart Lock for Passwords into your app by using the
Credentials API to retrieve saved credentials on sign-in. Use
successfully retrieved credentials to sign the user in, or use the
Credentials API to rapidly on-board new users by partially completing
your app's sign in or sign up form. Prompt users after sign-in or
sign-up to store their credentials for future automatic
authentication.
https://developers.google.com/identity/smartlock-passwords/android/
Expanding upon #DJPlayer's answer:
Some relevant articles. The third includes a github app that demonstrates using the keystore provider to generate keys and then encrypt strings.
Android Keystore System
Where is the best place to store a password in your Android app?
How to use the Android Keystore to store passwords and other sensitive information
Also see Android Storage Options for ways to store the encrypted password - my recommendation is Shared Preferences.
Note that according to the second article with root access and a bit of knowledge of how your app uses the keystore (which might be obtainable from decompiling your apk), it's possible to hijack the private key and use it to decrypt encrypted material (ex: the persisted password)
http://developer.android.com/reference/android/security/KeyChain.html
Keychain for OS 4.0