BUG - 3 - Android - Samsung S8 Active Biometric Sign In Failure

[travis-newby]

What happened?

I spoke to a VSO about the app. One of her complaints was that login is difficult. I explained to her the biometric login option, and she said that it didn't work for her. On the call, we confirmed that although her fingerprint worked when signing into other apps, it did not work when signing into ours.

We've seen similar information in app reviews, so I don't believe this is isolated to one person.

Specs:

• Device: Samsung S8 Active (SM-G892U)
• OS: Android 9 (Security patch level December 1, 2020)
• One UI Version: 1.1

Steps to Reproduce

1. Sign into the app with MHV cred
2. Check to make sure the fingerprint setting is on (it is)
3. Close the app (open app switcher, swipe up)
4. Reopen app. When the app is reopened, it asks for her fingerprint. She gives it (and the widget turns green).
5. But she's not signed in. She just gets dropped back at the sign in page and has to hit the Sign In button and enter her credentials all over again.

Desired behavior

Biometrics works

Acceptance Criteria

Bug Severity - BE SURE TO ADD THE SEVERITY LABEL

• 3 - Medium

Linked to Story

Screen shot(s) and additional information

Ticket Checklist

• [x] Steps to reproduce are defined
• [x] Desired behavior is added
• [ ] Labels added (front-end, back-end, feature, bug)
• [ ] Linked to an Epic (General Tech/Design Debt & Maintenance)

[travis-newby]

I've seen a few reviews complaining of finger print issues. I have no idea if they're related, but including them just in case.

[digitalken]

Unable to reproduce using a Samsung Galaxy S7 - Android version 8.0.0 - Samsung Experience version 9.0 - VA App version 1.16.1 (147).

[dumathane]

I tested this on my personal iPhone signing in on 41 and enabling biometrics. Closing app and relaunching allows bio to sign me in. @rarroyo23 do you use biometrics for your personal login? Ever had any issues?

[rarroyo23]

@dumathane I do but I have an iPhone never seen issues with it. I have a Physical Android for development but haven't seen this happen.

[DJUltraTom]

I am able to repro using a Samsung galaxy S21 5G with an ID.me user. Steps: 1 - log in to VA app on device with biometrics enabled 2 - Go to settings and verify "use fingerprint" is switched on 3 - kill app 4 - let device sit for a day or 2 5 - open app, observe no biometric prompt is present ---- Further step / work around ---- 6 - Force quit app while on initial launch/sign in screen 7 - reopen app 8 - observe you are now prompted for biometric log in

[rarroyo23]

@DJUltraTom do you see any log saying something like virtual invoked on a null for getPrivateKey?

[DJUltraTom]

@rarroyo23 I wasn't connected to android studio when I repro'd the issue. I will attempt again tomorrow while collecting logs

[travis-newby]

Looks like maybe there are two issues, then?

1. For the originator, she was prompted for her fingerprint and gave it but the app didn't sign in. It remained on the sign in screen.
2. For some, the prompt isn't even appearing.

Awesome job reproducing 2! Still maybe some work to figure out 1.

[b-rocha]

Not actionable until we can get more definitive steps/ details. @DJUltraTom to check if this can be reproduced again (and consistently), and to provide any additional findings.

[DJUltraTom]

After much, much, much frustration, I was able to reproduce the issue while connected to android studio. Attached the error log and a separate "verbose" log. Hopefully this information is helpful as this issue has not been able to be reproduced consistently.

https://app.zenhub.com/files/292052392/2b6b444d-50b7-41bb-9485-4ff50a8cfcdb/download

https://app.zenhub.com/files/292052392/794a26a2-5cea-49d9-ab88-2731a5e673bd/download

[TKDickson]

Updating to sev-2 (authentication) per new severity scale.

[StacyB2023]

@TKDickson Do you know the latest on this ticket? I see the sev was updated. Seems like much older one

[TKDickson]

Yep, I updated the severity based on the new scale - that's it from my end. I think that Eng has looked into this before (based on the logs that Tom added months back) but doesn't look like they provided any notes, so whoever grabs this will need to start from scratch, which is a bummer.

[alexandec]

Thanks @DJUltraTom for going through an arduous process to reproduce this error, and bringing back some logs. Looking at the log output you posted, I'm seeing that we log

startBiometricsLogin: starting

from the app, and then Android itself logs the following errors:

CipherStorageBase: Keystore operation failed
java.security.InvalidKeyException: Keystore operation failed
Caused by: android.security.KeyStoreException: Invalid user authentication validity duration

and finally with execution back in JS-land we log:

RNKeychainManager: Wrapped error: Keystore operation failed
ReactNativeJS: startBiometricsLogin: Failed to get generic password from keychain

Looking at these log messages I can see that the following sequence of events is happening:

1. We attempt to retrieve the stored token from Android's secure storage on the phone using Keychain.getInternetCredentials()
2. The attempt fails and getInternetCredentials throws an error
3. We log the error to Firebase and clear the stored credentials, presumably because they are assumed to be invalid
4. We show the login page which requires the user to log in with username and password

I looked in Firebase (crashlytics) for "startBiometricsLogin: Auth Service Error" and found that 86% of these errors occur on Samsung devices. I wonder if Samsung has an issue with their biometrics implementation that causes the errors. The errors are continuing to occur as of Android 13, so they are not limited to old devices.

I also found that "startBiometricsLogin: Auth Service Error" occurs with roughly equal frequency on iOS and Android, which I did not expect. It's possible that iOS users are experiencing biometrics login errors as well, even though this ticket focuses only on Android.

I am still attempting to reproduce the issue locally on my Samsung Galaxy S7 running Android 8.0.0. Thus far my biometric (fingerprint) sign-in is working perfectly. I will try leaving a longer gap before signing in again to see if that causes the error to occur.

Another angle I'm pursuing is looking at react-native-keychain which is the module we use to implement cross-platform biometric authentication. It's possible there are configuration options we could play with to improve our error rate. However the module may limit configuration options compared to what is possible using native code on each platform.

[alexandec]

Attempted to reproduce with these steps:

1. Run yarn start and Android Studio, run app on Galaxy S7 phone
2. Log in with fingerprint
3. Kill app but leave Android Studio and yarn start running
4. Wait 16 hours
5. Start app and log in with fingerprint

This worked perfectly with no errors. I'll have to try again with a longer wait.

[alexandec]

Tried killing the app, waiting three days, then logging in with biometrics. Worked just fine. I'm thinking I just won't be able to reproduce this on my Galaxy S7. @DJUltraTom anything else I can try with this one?

[bischoffa]

@dumathane @TKDickson wanting thoughts per your perspectives on what to do if we cannot consistently validate or find? Also at what point? I am wondering if we review the findings after spending 5 points on this ticket to determine if we keep it or accept and close it until more info/issues come in.

[TKDickson]

This is a tough one @bischoffa -- we're still getting reports (mostly I'm thinking of Liz's monthly app reviews) of biometrics not working for users, when it always works in staging (during normal testing).

I know that we have a ticket for updating firebase to get more detailed logging, which could also help with reproducing this ticket (or getting other useful information that could help with solving problems with biometric login) - #5626 . I come from teams/a background where we'd keep this ticket open and move to icebox/blocked waiting for that one, open to other ideas.

[DJUltraTom]

We know its an issue based on firebase reporting, I like Therese's idea of keeping it open in an Icebox/backlog. I can attempt to repro and gather more logs especially if there is something specific we are looking for to diagnose the issue.

Letting the phone sit for 2+ days is easier for me to accomplish as I have multiple physical devices to test with.

[alexandec]

@TKDickson @DJUltraTom the icebox/backlog approach makes sense to me. It does seem like this is still an issue, so maybe we can try to gather more information on it. Do we know if this is an Android-only issue, or also applies to iOS devices?

[alexandec]

Moved this back to the backlog since I'm not actively working on it currently. I'm leaving the ticket open so we can revisit as needed.

[bischoffa]

Going to move to New Issues as I am not sure what icebox is and I don't want to comment on the icebox 2x a week. I also going to bump this to a Sev-3 bug.

[bischoffa]

Moving to icebox. Ticket will be assessed at a later date if its something mobile needs to look at. Until then no action will be taken.

[alexandec]

Just a note for future: as Therese mentioned above, #5626 would add logging which could help us determine the root cause of this issue (that ticket is currently blocked). Beyond that we could add more logging specific to the login process, if we want even more detail.

[bischoffa]

Continues to be blocked. Need additional information to investigate this however that is blocked due to other technical debt upkeep work from engineering which is no prioritized. Require major dependency updates and historically those have been challenging and time consuming.

[bischoffa]

No updates still blocked