I am looking for retrieving Fingerprint data to be sent to server backend. My application is used by sales team and whenever there is new customer, the sales will ask customer to scan his fingerprint (and eventually send them to corporate server).
Is it possible to do it using latest API/SDK available out there?
AFAIK, Samsung SDK doesn't provide it, nor Android Marhsmallow.
Neither, the fingerprint image nor its features are accessible by the API. From Android website I quote:
Thus, raw images and processed fingerprint features must not be passed in untrusted memory. All such biometric data needs to be secured within sensor hardware or trusted memory. (Memory inside the TEE is considered as trusted memory; memory outside the TEE is considered untrusted.)
I seriously doubt you can get raw fingerprint data because it is used as an authentication method.
In the same way that you can't retrieve the device password, you won't be able to get fingerprint data. It would be a significant security risk to do so.
As mentioned before, the Fingerprint API's won't allow you access to the raw data.
But there is a different solution. Don't use the Fingerprint scanner. Instead use the camera.
Related
I'm trying to authenticate users to the backend server using fingerprint.
The scenario that I can think of is when user registers with a new account, I should send some sort of a unique identifier to the server related to the fingerprint..
Later the user can send only that unique id to the server to log in with no passwords or emails or any other credentials..
Is that possible?
If so, how?
It is technically possible since it has been done.
As the user registers with or for a new account, you also enroll one or more fingerprints. To do that, a fingerprint scanner is required. (Note that the fingerprint
image that the Android fingerprint reader captures, cannot be "taken" out of the phone. You need an external fingerprint reader.)
Also needed is some sort of SDK for extracting a template from the fingerprint image. (The template is close to what you might be calling the unique identifier, although it might not really be that unique.) The manufacturer of the fingerprint reader, usually also supplies the SDK. If they do not, you'll need a third-party SDK. One can search online for those.
The extracted template is stored on the server alongside other user data. At login, you extract a template from the same finger, transmit it to the server, and search amongst the previously enrolled templates. For that search (identification), you also need some SDK, or some sort of AFIS. There are commercial as well as free offerings (such as sourceAfis).
A better explanation is given in the Wikipedia article.
I'm trying to find a way to support the following scenario with fingerprint scan authentication. I work on an app that is used in an enterprise setting, where a single Android device is likely to be shared by many users. The current fingerprint scan APIs seem to follow a model where a user registers their fingerprint with the device, and then the fingerprint scan library basically just verifies that the fingerprint being scanned matches some known fingerprint stored locally in the device. This model is incompatible with my use case, since each of my users may pick up a different Android device each time they need to use the app. And each device may be used by multiple users.
Are there any ideas for overcoming this problem? I'm thinking along the lines of getting some kind of hash or other unique identifier from the fingerprint scanner, which I could then store in my central database, and each user authentication attempt can be authenticated against this central server. But sadly, it looks like neither Google's api nor vendor specific sdks allow this behavior.
Suggestions/insight would be appreciated.
If a device has a fingerprint sensor, a user can enroll one or more fingerprints and then use their fingerprints to unlock the device and perform other tasks.
Android uses the Fingerprint Hardware Abstraction Layer (HAL) to connect to a vendor-specific library and fingerprint hardware, e.g. a fingerprint sensor.
I'm making a cross-platform application on Monodroid/MonoTouch, and my application should contact with server-side part to get data from it. Data is sensitive and is the base of application.
How would i defend it to restrict usage of server-side from other people/applications, assuming people can get correct request syntax or if i encode my query with secret key they can get that key by debugging.
You'll need confidentiality in your data transfers, e.g. using SSL/TLS, like HTTPS, but that alone won't be enough. By default it means that the client can ensure it trust the server, not that the server can trust the client (and that does not cover your debugging case).
So you'll need authentication as well. That's nearly identical to having a secret key except that it needs to be user (or the entity you trust) based, not hard coded into the application itself (that can't be trusted).
Having the users register and get passwords (or a user-token saved to the device storage) is one way to start this. It will protect your from other people using your data.
You can enhance this by creating some kind a user/device association so that a user secret can't be shared across several devices... that can limit the possibility of using an alternative (untrusted) application by the same (trusted) user, e.g. on a different device.
I want to hide some data that is entered by user in user's phone encrypted. As far as I know I can encrypt/decrypt data using a key/seed value, but if I hide the key value in code, I know it can be found somehow (e.g. decompiling the Java code).
Do you have any suggestions to make the process harder?
It is impossible to hide the key in the app such that a resourceful hacker won't be able to pull it out. You can try to obfuscate the key and make it difficult to find but it will always be do able.
See this: https://www.excelsior-usa.com/articles/java-obfuscators.html#examples
The best option would be to require your users to specify a PIN or password and to use that as the encryption key. That way if the device is lost or stolen the key is still safe and it also prevents someone from decompiling your app and getting the encryption key for all instances of your application.
One of the new features in Ice Cream Sandwich (Android 4.0) is the keychain API. From the Platform Highlights page (emphasis mine):
Android 4.0 makes it easier for applications to manage authentication
and secure sessions. A new keychain API and underlying encrypted
storage let applications store and retrieve private keys and their
corresponding certificate chains. Any application can use the keychain
API to install and store user certificates and CAs securely.
If you're doing this for username/password data, you should checkout implementing an Authenticator.
Since android does not have any secure storage on it ( at least as of 2.2), you would have to write your own.
The only way to do this really securely is to encrypt with a key derived from a user supplied password (PBKDF2/ RFc2898 being the way to that). Crypto is only as secure as your key and if you store that on the phone in anyway, then someone can find it and use it. This allows you to have the user store the key without actually remembering a large AES key.
There may be libraries that do this for android. I wrote one for windows phone that can be found here if you want some basis for how to do it.
If encryption/decryption all happens on the handset, a determined hacker will be able to crack it. You can make life harder by using obfustication, or (if appropriate for your application), adding user input into the encrypt/decrypt code.
If your application requires network connectivity, it might be worth off-loading some of the code to a server running elsewhere, so that encrypted data lives on the device, but keys are downloaded at run-time. Still not hack-proof, but it reduces risks to confidential data on a stolen device.
I haven't been able to find a way to open a password-protected SQLite database on Android. Since the device can easily be rooted, I am thinking of password protecting the database file. However, I am not having much luck finding anything built into the Android platform.
I don't think that Android framework supports password protection on databases. Your best bet is to encrypt your data. See SO question: Android Sqlite Password Encryption
You can encrypt SQLiteDatabases. Android does not support full-database encryption so you'd have to implement that yourself if you want to.
If you want to go down the encryption route, you're much better off just encrypting the sensitive information yourself and storing it in a database field, as per Morrison's answer.
All that said -- where are you putting the password for the encryption function? You'll probably need it somewhere in your application! In which case someone can just disassemble your code and then find the password, and decrypt the info (although it will be a bit more work).
Unless you're hashing info (one-way) then without hardware encryption on a device (and even that has flaws) you cannot store anything on the device perfectly securely -- you're always going to need to decrypt the info some time and for that the password has to be on the device somewhere.
If you want really robust security then store sensitive information on a server (preferably in a really secure location), not the device, and only communicate between the device and server over encrypted channels (HTTPS). You'll also need to authenticate the device in a secure manner. But to do that you need to store some sensitive information ON the device in order to authenticate the device with the server, unless you force the user to enter a password every time (recommended if security is a must).
If the information is stored on a server you can't necessarily prevent someone who shouldn't gaining access (by finding the password you have stored or phishing the user if it's stored in their head), but you can revoke access to the information.