search

auth0 / Auth0.Android

Android toolkit for Auth0 API
https://auth0.com
MIT License
223 stars 140 forks source link

Consistently getting `A change on the Lock Screen security settings have deemed the encryption keys invalid and have been recreated. Any previously stored content is now lost. Please try saving the credentials again.` #644

Closed bennycao closed 1 year ago

bennycao commented 1 year ago

Describe the problem

In our app when the code is retrieving the encrypted credentials, we are seeing the error consistently being returned A change on the Lock Screen security settings have deemed the encryption keys invalid and have been recreated. Any previously stored content is now lost. Please try saving the credentials again.

With a stack trace of

com.auth0.android.authentication.storage.CredentialsManagerException: A change on the Lock Screen security settings have deemed the encryption keys invalid and have been recreated. Any previously stored content is now lost. Please try saving the credentials again.
        at com.auth0.android.authentication.storage.SecureCredentialsManager.continueGetCredentials$lambda-3(SecureCredentialsManager.kt:427)
        at com.auth0.android.authentication.storage.SecureCredentialsManager.$r8$lambda$lzipqfeeDXjWZ6piYqZb9m3XmPs(SecureCredentialsManager)
        at l0.b.run(Unknown:10)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1137)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:637)
        at java.lang.Thread.run(Thread.java:1012)

Caused by: com.auth0.android.authentication.storage.CryptoException: The RSA encrypted input is corrupted and cannot be recovered. Please discard it.
        at com.auth0.android.authentication.storage.CryptoUtil.RSADecrypt(CryptoUtil.java:305)
        at com.auth0.android.authentication.storage.CryptoUtil.getAESKey(CryptoUtil.java:372)
        at com.auth0.android.authentication.storage.CryptoUtil.decrypt(CryptoUtil.java:416)
        at com.auth0.android.authentication.storage.SecureCredentialsManager.continueGetCredentials$lambda-3(SecureCredentialsManager.kt:411)
        at com.auth0.android.authentication.storage.SecureCredentialsManager.$r8$lambda$lzipqfeeDXjWZ6piYqZb9m3XmPs(SecureCredentialsManager)
        at l0.b.run(Unknown:10)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1137)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:637)
        at java.lang.Thread.run(Thread.java:1012)

Caused by: javax.crypto.IllegalBlockSizeException
        at android.security.keystore2.AndroidKeyStoreCipherSpiBase.engineDoFinal(AndroidKeyStoreCipherSpiBase.java:613)
        at javax.crypto.Cipher.doFinal(Cipher.java:2056)
        at com.auth0.android.authentication.storage.CryptoUtil.RSADecrypt(CryptoUtil.java:275)
        at com.auth0.android.authentication.storage.CryptoUtil.getAESKey(CryptoUtil.java:372)
        at com.auth0.android.authentication.storage.CryptoUtil.decrypt(CryptoUtil.java:416)
        at com.auth0.android.authentication.storage.SecureCredentialsManager.continueGetCredentials$lambda-3(SecureCredentialsManager.kt:411)
        at com.auth0.android.authentication.storage.SecureCredentialsManager.$r8$lambda$lzipqfeeDXjWZ6piYqZb9m3XmPs(SecureCredentialsManager)
        at l0.b.run(Unknown:10)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1137)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:637)
        at java.lang.Thread.run(Thread.java:1012)

Caused by: android.security.KeyStoreException: Unknown error (internal Keystore code: -1000 message: In KeystoreOperation::finish

Caused by:
    0: In finish: KeyMint::finish failed.
    1: Error::Km(ErrorCode(-1000)))
        at android.security.KeyStore2.getKeyStoreException(KeyStore2.java:369)
        at android.security.KeyStoreOperation.handleExceptions(KeyStoreOperation.java:78)
        at android.security.KeyStoreOperation.finish(KeyStoreOperation.java:128)
        at android.security.keystore2.KeyStoreCryptoOperationChunkedStreamer$MainDataStream.finish(KeyStoreCryptoOperationChunkedStreamer.java:228)
        at android.security.keystore2.KeyStoreCryptoOperationChunkedStreamer.doFinal(KeyStoreCryptoOperationChunkedStreamer.java:181)
        at android.security.keystore2.AndroidKeyStoreCipherSpiBase.engineDoFinal(AndroidKeyStoreCipherSpiBase.java:603)
        at javax.crypto.Cipher.doFinal(Cipher.java:2056)
        at com.auth0.android.authentication.storage.CryptoUtil.RSADecrypt(CryptoUtil.java:275)
        at com.auth0.android.authentication.storage.CryptoUtil.getAESKey(CryptoUtil.java:372)
        at com.auth0.android.authentication.storage.CryptoUtil.decrypt(CryptoUtil.java:416)
        at com.auth0.android.authentication.storage.SecureCredentialsManager.continueGetCredentials$lambda-3(SecureCredentialsManager.kt:411)
        at com.auth0.android.authentication.storage.SecureCredentialsManager.$r8$lambda$lzipqfeeDXjWZ6piYqZb9m3XmPs(SecureCredentialsManager)
        at l0.b.run(Unknown:10)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1137)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:637)
        at java.lang.Thread.run(Thread.java:1012)

But not limited to the above stacktrace

Is this sort of exception expected ?

What was the expected behavior?

Decrypt working and credentials returned.

Reproduction

I haven't been successful in reproducing this issue with any of our emulators of devices.

Environment

Not sure if coincidence, but many of the issues are in android 13, 12, 11....but not limited to

poovamraj commented 1 year ago

Hi @bennycao,

Are you seeing this in your production logs and not able to reproduce it locally? Asking this because you mentioned that the issue is happening consistently but you are not able to reproduce this.

  1. Could it be that your users actually changed their lock screen?
  2. Is it happening in single device? Any idea on the manufacturer and model?
bennycao commented 1 year ago

Hi @bennycao,

Are you seeing this in your production logs and not able to reproduce it locally? Asking this because you mentioned that the issue is happening consistently but you are not able to reproduce this.

1. Could it be that your users actually changed their lock screen?

2. Is it happening in single device? Any idea on the manufacturer and model?

Hi @poovamraj , it is happening in our production logs and it's many devices, models and OS. But mainly android 13, 12, 11. But this could be because most people are on these versions.

I have not been able to replicate, change lock screens on physical devices or emulators. Only way i've replicated is on Android 5 by changing lock screen.

poovamraj commented 1 year ago

Do you think this could be the reason?

Could it be that your users actually changed their lock screen?

Any idea on the % of users having this issue. This is the first time this is being reported and there could be a valid reason that users change their lock screen.

bennycao commented 1 year ago

Do you think this could be the reason?

Could it be that your users actually changed their lock screen?

Any idea on the % of users having this issue. This is the first time this is being reported and there could be a valid reason that users change their lock screen.

By my rough calculations it is a bit below 1% of users.

poovamraj commented 1 year ago

In that case can we consider this as a situation where the user is actually changing the lock screen which causes this exception?

I'd suggest closing this issue as we are not able to reproduce this, never reported before and happens only for a small subset.

bennycao commented 1 year ago

In that case can we consider this as a situation where the user is actually changing the lock screen which causes this exception?

I'd suggest closing this issue as we are not able to reproduce this, never reported before and happens only for a small subset.

I'm more concerned that it cannot be reproduced. And the error message seeming confident that it is because of a change in lockscreen. I would assume that it would be reproduceable if it was. This leads me to think the error message is not accurate and is another issue.

poovamraj commented 1 year ago

@bennycao this error can happen due to multiple reasons. It is not that it happens every time a pin is changed (but it can happen just not reliably). To handle these cases we have generally mentioned it as "Lock screen security settings". The settings referred here doesn't necessarily point to the PIN.

Hope this help. We will close this issue for now but feel free to comment here and we can reopen it if you have more doubts.

ppamorim commented 1 year ago

@poovamraj We are experiencing the same issue when using rsaDecrypt to fetch a encryption key from the keychain. Do you have any solution for that? We tried to sync the access but it didn't resolve the issue.