Android comes with Android KeyStore, a secure container for storing key materials. It’s possible to define certain keys to be unlocked when users authenticate using biometric credentials. This way, even if the application process is compromised, the attacker cannot access keys, as presence of the authorized user is required.
These keys can be used, to encrypt, sign or create a message authentication code (MAC) as proof that the authentication result has not been
tampered with. This protection defeats the scenario where an attacker with physical access to the device would try to hook into the application
process and call the onAuthenticationSucceeded
method directly. Therefore he would be unable to extract the sensitive data or to perform
the critical operations protected by the biometric authentication.
The application contains:
There is a risk if you answered yes to this question.
It’s recommended to tie the biometric authentication to a cryptographic operation by using a CryptoObject
during authentication.
A CryptoObject
is not used during authentication:
// ... BiometricPrompt biometricPrompt = new BiometricPrompt(activity, executor, callback); // ... biometricPrompt.authenticate(promptInfo); // Noncompliant
A CryptoObject
is used during authentication:
// ... BiometricPrompt biometricPrompt = new BiometricPrompt(activity, executor, callback); // ... biometricPrompt.authenticate(promptInfo, new BiometricPrompt.CryptoObject(cipher)); // Compliant