Cannot sign transaction: unlok pattern loop

[rvalle]

Hi!

I am on Vault 3.6.1 Android.

Signing transactions is not working:

• I scan the QR
• I enter the PIN for the Seed.
• Phone enters a loop asking the unlock pattern.

I tried to replace the unlock pattern by a plain PIN.

Now the vault is now allowing me to sign with: "key permanently invalidated exception".

[AndreasGassmann]

Thanks for the report, we are looking into it.

According to the docs, the "key permanently invalidated exception" is caused by the user changing / resetting his passcode or biometrics. https://developer.android.com/reference/android/security/keystore/KeyPermanentlyInvalidatedException

One issue here is that in this case, the Vault should actually prompt you for the "recovery key", which doesn't happen at the moment.

[rvalle]

I got into the same loop asking for the unlock pattern, again. After some months of all operating smoothly. Also, note that this device is dedicated as vault device.

Any idea why? nobody else experiencing this?

[AndreasGassmann]

We had one other report about this via email a couple months ago, but other than that no. We looked into this, but we are not able to reproduce it.

You say that it has been working for months. Did you change anything that triggered this issue?

• Did you update the device?
• Did you update AirGap Vault?
• Did you update any other app on the device?
• Did you change any system settings (eg. PIN, Biometrics, PIN requirements)?
• Did you connect your phone to the internet (wifi / cellular)?

[rvalle]

It is a mystery. this device is dedicated as vault. Has connectivity turned off. I have not installed anything, and my vault was up to date since I originally had the problem. this is the second time.

[rvalle]

I reinstalled the vault, and re-imported the secret and works again. I noticed that the pattern asking loop happens right after signing the transaction before asking where is the walled: same device or other. If that is of any use.

I don't know what leads to the installation getting corrupt... no idea.

[AndreasGassmann]

Before reinstalling the Vault, have you tried to just re-import the secret? It would be interesting if the problem is on a secret level, or on an app level.

In any case, one of our team members just had the same issue happen today on his dedicated device (but if I'm informed correctly, it was like that even after re-installing the app, do it never actually worked on that device). We will get that device on Monday and can hopefully track the issue down on that device. I'll let you know what we find.

[AndreasGassmann]

So we finally got our hands on a device where we could reproduce the issue. Sadly, this seems to be related to the OS or the hardware.

Basically, the issue is that when we request the seed from the secure storage, the device tells us that the user is not authenticated. Then we show the native prompt to authenticate (eg. pin / pattern / fingerprint). After that, the user should be authenticated for the next 15 seconds. Then we immediately request the seed again, which will then return it because the user is authenticated. However, on some devices, the second request fails again with the same error, "user not authenticated". No matter how many times the user authenticates, the device keeps thinking that the user is not, which will result in an infinite loop.

This is the ticket that was opened on the android issue tracker over 2 years ago: https://issuetracker.google.com/issues/119944680?pli=1

Sadly, as this does not seem to be a common issue and google closed the issue because it's not reproducible, there is nothing we can do in this case. The only thing we could do is to update the apps and use a less secure approach to storing the seed. With our latest findings, we will now have some discussions on what we will do.

[rvalle]

thanks for the heads up. I have now input my secrets a number of times and does not feel so scary anymore.