setItem triggers Fingerprint on Android

mCodex / react-native-sensitive-info

Save sensitive data into Android's Shared Preferences with keystore encryption/iOS's Keychain for React Native

https://mcodex.dev/react-native-sensitive-info/

MIT License

979 stars 216 forks source link

setItem triggers Fingerprint on Android #264

Open artola opened 3 years ago

artola commented 3 years ago

The following code (from the docs) triggers the fingerprint auth in Android while in iOs does not triggers (correctly) the Face ID.

Using v6 @next

I did expect a validation to retrieve the data, but not to store it for first time. Is it right? what is the expectation?

import SInfo from 'react-native-sensitive-info';

const savingFirstData = await SInfo.setItem('key1', 'value1', {
    sharedPreferencesName: 'mySharedPrefs',
    keychainService: 'myKeychain',
    touchID: true, //add this key
    showModal: true, //add this key
    kSecAccessControl: 'kSecAccessControlBiometryAny' // optional - Add support for FaceID
});

artola commented 3 years ago

@mCodex This issue was reported before: https://github.com/mCodex/react-native-sensitive-info/issues/226

Nevertheless, while on iOs everything runs smooth, Android user experience is not that good (like require 2 times the fingerprint because of 1 get and a successive set). Playing with the options (adding them in get or set) produces very different effects depending in the platform. For example, iOs ignores the options (see example above) during the set, while Android honors them.

To be honest, due these limitations I am thinking about using other packages, 1 for encrypted storage (as using this one without options, valid too) plus 1 for biometric validation that also supports fallback to code and perform the 2 steps logic where required.

warrioru commented 3 years ago

@artola it would be great if we could save into the keystore without having to use the fingerprint. Then the problem of seeing the fingerprint modal two times would be solved.

Thanks for your work!

artola commented 3 years ago

@mCodex If the library is somehow upgraded for Api level 30 supporting setUserAuthenticationParameters it would allow us to pass the timeout and auth type required, with a timeout of several seconds will allow to set/get without invoking again and again the auth.

https://developer.android.com/reference/android/security/keystore/KeyGenParameterSpec.Builder#setUserAuthenticationParameters(int,%20int)

Just after setting the requirement for auth, add the extra options herein:

https://github.com/mCodex/react-native-sensitive-info/blob/1575f8992ff7113443199bce5a3fb1e11392878d/android/src/main/java/br/com/classapp/RNSensitiveInfo/RNSensitiveInfoModule.java#L367

mCodex commented 3 years ago

Thanks for pointing this out. I totally agree with you thinking about UX is not good.

I'd like to fix this, because I'm very concerned about UX stuff.

Feel free to open a PR to address this issue in v6

stale[bot] commented 3 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

fedeerbes commented 3 years ago

hi @mCodex and @artola do you have plans to work on this?