setInvalidatedByBiometricEnrollment(true) without effect due to positive validity duration

[mtschirs]

During the registration of the alternative authentication means (alternatePairingFlowWithSecureElement), the private key is generated with a validity duration of 60 seconds. Because of this, the key is not invalidated on biometric enrollment. The initial call to setInvalidatedByBiometricEnrollment(true) does not cause the intended effect (or any effect at all) as it "applies only to keys [...] if no positive validity duration has been set" according to the Android API reference.

Therefore, the following code should be removed: https://github.com/gematik/E-Rezept-App-Android/blob/5057ccfd374d677443fff171e6ef9384f64b1737/android/src/main/java/de/gematik/ti/erp/app/cardwall/usecase/AuthenticationUseCaseProduction.kt#L229-L233

[fnordlicht]

Hi @mtschirs, thank you very much for filing this issue. Watch this issue for updates on this topic.

[fnordlicht]

A hotfix release 1.2.4.1 addressing this issue has just been released to Google Play. Source code will follow along with the next regular release. Thank you again very much for finding and reporting this issue!