search

authpass / biometric_storage

Flutter plugin to store data behind biometric authentication (ie. fingerprint)
https://pub.dev/packages/biometric_storage
MIT License
183 stars 107 forks source link

Discussion about the actual work of the plugin #95

Open abdallah-odeh opened 1 year ago

abdallah-odeh commented 1 year ago

How actually does this plugin work? is the biometric authentication step only to authorize the user to read/write data? or there is something extracted out from the biometric authentication that is used to encrypt the data?

also if the data is stored in keyChain & keyStore, if I created a sample app that uses keyChain & keyStore directly without any biometric, when I try to read from biometric_storage with authenticationRequired: false, shouldn't the value be returned?

I mean if my app has multiple pointers to a keyChain value, the must return the same value right?

abdallah-odeh commented 1 year ago

Swift part

first, I am not a swift developer! but from your code, I figured out that biometric authentication process is a guard for the data and is not used to encrypt it in the keyChain (the key authenticationRequired: false's purpose is only to know whether to prompt a biometric or not but at the end of the day, the data is stored the same whether it's true or false

when biometric authentication respond with a success, this code will be executed

287    query.merge([
288      //      kSecMatchLimit as String: kSecMatchLimitOne,
289      kSecValueData as String: content.data(using: String.Encoding.utf8) as Any,
290    ])

I also read here that you actually can't get the biometric data in iOS to use it as an encryption key!

Kotlin part

but in android kotlin, I were trying to know what for is this code block built for? and why I can't use the CryptoObject or encrypt the data if I set the authenticationValidityDurationSeconds >= 0?

401        if (cipher == null || options.authenticationValidityDurationSeconds >= 0) {
402            // if authenticationValidityDurationSeconds is not -1 we can't use a CryptoObject
403            logger.debug { "Authenticating without cipher. ${options.authenticationValidityDurationSeconds}" }
404            prompt.authenticate(promptBuilder.build())
405        } else {
406            prompt.authenticate(promptBuilder.build(), BiometricPrompt.CryptoObject(cipher))
407        }

Can anyone explain this to me? what if I want to prompt a biometric every 5 minutes? why is my data stored unencrypted? thank for your efforts in making flutter community more productive!