Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Android decrypts and gets data without fingerprint prompt #235

Open
pani7 opened this issue Aug 8, 2019 · 5 comments
Open

Android decrypts and gets data without fingerprint prompt #235

pani7 opened this issue Aug 8, 2019 · 5 comments

Comments

@pani7
Copy link

pani7 commented Aug 8, 2019

Hi, on ios after implementing basic example i get touchId prompt to authenticate with fingerprint to get data, but on android it just gets data and decrypts it without any prompt for fingerprint. I just get it immediately.
Is this correct behavior? Should i implement fingerprint prompt for android separately with other library and then upon success auth get data from keystore?

Thanks for your help
@EnricoMazzu
Copy link

Hi pani7,

watching the source code i found this:

@TargetApi(Build.VERSION_CODES.M)
private KeyGenParameterSpec.Builder getKeyGenSpecBuilder(String service) {
    return new KeyGenParameterSpec.Builder(
            service,
            KeyProperties.PURPOSE_DECRYPT | KeyProperties.PURPOSE_ENCRYPT)
        .setBlockModes(ENCRYPTION_BLOCK_MODE)
        .setEncryptionPaddings(ENCRYPTION_PADDING)
        .setRandomizedEncryptionRequired(true)
        //.setUserAuthenticationRequired(true) // Will throw InvalidAlgorithmParameterException if there is no fingerprint enrolled on the device
        .setKeySize(ENCRYPTION_KEY_SIZE);
}

as you can see the setUserAuthenticationRequired is currently disabled.

I'm afraid you will have to wait the merge of this pull request:
148

Without the setUserAuthenticationRequired, you can use the generated key (that lives in keystore) without the user authentication (technically you could use the key with the device locked).

From the security perspective, The key material is relative protected (because the private key leaves out of your process memory), but with hooking an attacker was able to use this key without the user authentication.

@fendorio
Copy link

Running into the same issue, trying out a couple of the forks mentioned in the thread in the interim, no such luck thus far.

Anyone using a fork, or similar library for now which provides the functionality on Android?

@OleksandrKucherenko
Copy link
Contributor

#260 - correct implementation of the biometric in lib... waiting fo it merge and global spreading :)

@lancesnider
Copy link

5.0.0 appears to have fixed the problem. I'm no longer running into this issue. Thanks! 🌮🌮🌮

@franconob
Copy link

I'm still experiencing this issue with v6.2.0 on a Xiaomi Mi 9, Android doesn't prompt for fingerprint and gets the data automatically from the keychain

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@franconob @lancesnider @OleksandrKucherenko @fendorio @pani7 @EnricoMazzu