Wrong behaviour in Android 10 with disablebackup false

[andreszs]

Bug report

The .show method seems to be flawed in Android 10.

Behavior in Android 7/8/9

• Dialog invoked with disablebackup=false shows fallback button to use PIN/PATTERN/ETC.
• Pressing BACKBUTTON to cancel correctly dismisses the dialog.

Behavior in Android 10 (Samsung, Redmi)

• Dialog invoked with disablebackup=false shows a CANCEL button instead of fallback button.
• Pressing CANCEL shows a second dialog with the fallback button that should have been shown to begin with.

BiometricPrompt.PromptInfo.Builder notice

The setDeviceCredentialAllowed method shows this warning:

On versions prior to Android 10 (API 29), calls to [BiometricPrompt.cancelAuthentication()](https://developer.android.com/reference/androidx/biometric/BiometricPrompt#cancelAuthentication()) will not work as expected after the user has chosen to authenticate with their device credential. This is because the library internally launches a separate activity (by calling KeyguardManager.createConfirmDeviceCredentialIntent(CharSequence, CharSequence)) that does not have a public API for cancellation.

The reality check shows the exact opposite, behaviour with setDeviceCredentialAllowed(true) does work as expected UNTIL Android 10 which duplicates the dialogs. And cancelling the pattern/pin dialog corrrectly returns a BIOMETRIC_DISMISSED failure callback.

Plugin demo app

To easily test this plugin, I've created and uploaded a small Fingerprint Plugin demo app. Kindly let me know if this behavior persists in your Android 10+ phones.

Environment

• Plugin version 5.0.1
• Build environment cordova-android@9.1.0

[onuh]

I have this issue on Android 11

[andreszs]

After inspecting the source, it seems the duplicated dialog is a plugin workaround to bypass an Android 10+ introduced bug reported years ago.

I've been working on a PR to replace the deprecated setDeviceCredentialAllowed method to API's 30 setAllowedAuthenticators only to find out that the latest stable Biometric API 1.1.0 still includes this bug. :roll_eyes:

This bug was partially fixed in androidx.biometric:biometric:1.2.0-alpha04:

Fixed an issue on API 29 where some devices (including emulators) would receive a cancellation error when falling back to PIN/pattern/password. Note that, for some devices on API 29, this may cause the user to be prompted for their screen lock even if a biometric is available and enrolled. (b/142740104)

This 1.2.0 alpha 04 fix was released 6 months ago and there is not even a release candidate version yet, not to mention a stable release. :angry:

Now all depends on the androidx developers to release a stable version with this fix, however, they seem to prefer wasting time with Kotlin and adding more features than fixing issues reported 3 years ago. Yep, that's definitely the Google Android team.

Testing biometric API 1.2.0 alpha 04

Building the app with this unstable alpha API and with target SDK 30 triggers this error:

The minCompileSdk (31) specified in a dependency's AAR metadata (META-INF/com/android/build/gradle/aar-metadata.properties) is greater than this module's compileSdkVersion (android-30). Dependency: androidx.biometric:biometric:1.2.0-alpha04. AAR metadata file: C:\Users\Desarrollo.gradle\caches\transforms-3\8c68f6ea435579e4588be7c2dc68b613\transformed\biometric-1.2.0-alpha04\META-INF\com\android\build\gradle\aar-metadata.properties.

Which means the fix requires API 31 build tools. I'm not sure if Cordova 11 can be safely compiled against SDK 31, so that's the end of my research for now. I've wasted an entire day dealing with this bugged API for nothing.

Bugged androidx biometric API 1.1.0 (stable) behaviour

This issue does not affect Android 9 and earlier devices. They managed to introduce it somewhere in API level 29.