I have added fingerprint recognition to gain access to my android app using the Google Sample found here http://developer.android.com/samples/FingerprintDialog/index.html. Everything works as expected but I am just thinking that if someone has the phone and adds a new fingerprint then they gain access to the app. How can I prevent this? Do I need to register the fingerprints within the app and then check against those?
You can't do this but hopefully no one would be able to add a fingerprint to the phone that should not be able to access your application.
If you want fingerprint authentication to unlock the app for convenience but also allows to enter a password or PIN, then your can add an option in the settings of the app to let the user choose if they want to Enable Unlock with Fingerprint's Registered on the Phone or simply always type their password. (Default set to password only)
Related
Hi I have the same case like this question how to store fingerprint data along with username, image, email etc in database in android app and I have read that and some of the answers there. It is stated that we can not get something like template of fingerprint that user registered in android because it is stored at a secure location. I just want to make sure that, is that true if I say something like this: Because of android doesn't give a permission to access template of user fingerprint so we can not build a mobile apps to register our fingerprint in that apps by using android scanner of fingerprint, is that right if I say something like that?
So my point here is the way to register our fingerprint in a mobile apps, I haven't found yet articles to show step by step build mobile apps like what I mean before
I have search lot on internet/stackoveflow how to add fingerprint from custom app but couldn't found any clue
In short Requirement - I am creating app that will allow user to enter into my app by scanning fingerprint.
I have check code that will scan finger on sensor and return fingerprint data already set by user (He/She set from setting) but in case if there are multiple finger set by multiple user than my app allow all the user to enter into my app which i don't want
What I want - Code that add fingerprint from my app and allow only that user not all the user to enter into my app
Now some question -
is it possible to do this?
is there any other way to archive this
is this secure way to do so because my application is banking
related
but in case if there are multiple finger set by multiple user than my app allow all the user to enter into my app which i don't want
You have no way of distinguishing between "multiple finger set by multiple user" and "multiple finger set by one user". Most people have more than one finger.
Code that add fingerprint from my app and allow only that user not all the user to enter into my app
You can require that the person holding the device scan their fingerprint and have that be authenticated against registered fingerprints. You have no way of knowing who the person is who scanned their fingerprint and their relationship with the owner of the device. It might be the owner, or it might not. That is up to the device owner, not you.
This is no different than most other forms of authentication. For example, if your app required a custom PIN, and the user shared that PIN with somebody else, that is the user's choice. It may be a stupid choice, or it may not (e.g., it is shared with a spouse).
Following this tutorial on fingerprint authentication I should check for KeyguardManager.isKeyguardSecure() before letting users authenticate with fingerprint.
Why should I do this?
Most device manufacturers require a secure lock screen type (PIN, password, pattern) in order to use fingerprints. When changing the lock screen type to an insecure one (None, Swipe or other mode which does not authenticate the user) the fingerprints are removed.
On Samsung devices this is handled differently, by providing the user the possibility to not delete the fingerprints (and secure them with an additional password). Thereby, the user can still use the fingerprints in applications.
In case you want to allow those users, with a Samsung device, to use fingerprint authentication (in your app) even though they don't have set a secure lock screen type, you don't need to check if KeyguardManager.isKeyguardSecure() returns true.
Later in the code, the tutorial uses setUserAuthenticationRequired(true), which won't work if there is no secure keyguard.
I am a newbie in android development
I am developing an android app that allow people using fingerprint to check-in. The idea is, for instance, a class need student check-in on time everyday. Student have to register their fingertip to identify with application.
I don't know whether android support my application? I just saw that fingerprint identify using registered user's finger.
Could you please help me some idea?
Thank you so much.
Android supports detecting more than one fingerprint.
Eg:Coolpad note 3 detects 5 different fingerprints and we can assign different actions to each fingerprint.
i.e one for unlock screen,one for camera.
Detecting and authentication of different fingerprint is based on how you code your application.So go forward.
You can find here the code for the implentation of Fingerprint authentication in an app
remember one thing that,here you can login in your app only using the fingerprint that you have used for the device's screen lock.
Android authorizes or verifies a user if the fingerprint was previously registered through Android settings. Meaning, you can't add new fingerprints through your app.
The KeyStore save all the keys and use the Keystore private key to sign transactions / data. Meaning, you cannot differentiate users through your app.
I'm implementing fingerprint authentication in an existing Android application making use of FingerprintManagerCompat. I used a tutorial as guidance that can be found here.
(android.support.v4.content.ContextCompat)
As FingerprintManagerCompat makes use of saved fingerprints on the mobile device, any fingerprint on the device can be used to login to the application.
Is it possible to see which one of the fingerprints on the device were used to unlock and if so is there a method to get all saved fingerprints that are available on the device?
I looked around for information on if this is possible and I cant seem to find anything. I have found that Samsung Pass SDK does have functionality to see what fingerprint is used but the product owner does not want the me to use Samsung's Pass SDK as his penetration testing team found that it is not very secure.
Is there a method to get all saved fingerprints that are available on the device?
No.
Is it possible to see which one of the fingerprints on the device were used to unlock
No.
However, there are some limitations to which fingerprints can be used to authenticate within your app. The result of a fingerprint authentication is that you make a cryptographic key available to perform some cryptographic operation (e.g. creating a digital signature). So when you add a user in your app you'd typically create a cryptographic key that you associate with that user. Then later on when the user wants to perform some action that requires him/her to be authenticated, you do the fingerprint authentication, which gives you access to the key, which use can use to do whatever it is that you need to do to verify that the user should be allowed to perform the action.
What happens when a new fingerprint is enrolled is that any existing cryptographic keys that require fingerprint authentication will be permanently invalidated.
That leaves us with the scenario where there are multiple enrolled fingerprint before the user is added in your app. I'm not aware of any way to do anything about this with the current APIs. So the best you can do might be to add some step in your fingerprint-enabling UI flow where the user is asked to verify that only they have enrolled a fingerprint on the device (e.g. by checking a checkbox or clicking a button).