Device Password is prompted randomly

[pvsantosh]

Thanks for the great work in keeping the Secure Storage active. I integrated this plugin in our Project. We are noticing a different behaviour of asking device password in android intermittently. Is this the expected behaviour of the plugin? or Am I missing something?

[BorntraegerMarc]

I can confirm this weird bug. It happens with my OnePlus 6T Android 9. @pvsantosh what android version are you using?

It's weird because it seems to be "truly" random. Used the plugin for weeks now in production and never

screenshot where app starts without any content and is about to get it from the secure storage:

One millisecond later where app prompts for the pin or fingerprint (because we initialize the secure storage):

After entering the pin or confirming with the fingerprint content can be loaded:

[pvsantosh]

@BorntraegerMarc We are seeing this issue in Android 9 and 10 in Samsung and Pixel devices. The experience is same as yours, i.e after entering the password only it is showing the content.

[BorntraegerMarc]

Answer from our researcher:

have gone trough plugin and plugin itself asking for the unlock credectials. The flow is like below. When there is RSA encryption keys are available from https://github.com/mibrito707/cordova-plugin-secure-storage-echo/blob/master/src/android/SecureStorage.java#L103 And simple encryption decryption doesn’t work plugin itself ask for the credentials https://github.com/mibrito707/cordova-plugin-secure-storage-echo/blob/master/src/android/SecureStorage.java#L117 https://github.com/mibrito707/cordova-plugin-secure-storage-echo/blob/master/src/android/SecureStorage.java#L235

[pvsantosh]

Thank you @BorntraegerMarc. This make sense to me. I would like to understand what are the scenarios that the encryption keys gets invalidated. Also, we need to gracefully inform the user and ask to enter the device passcode. Is there any way we can control the flow?

[BorntraegerMarc]

Right. I dug into the code but wasn't able to see why this happens.

Maybe our researcher @dwlrathod could say why the encryption keys get invalidated?

[BorntraegerMarc]

so seems like we get into this line here: https://github.com/mibrito707/cordova-plugin-secure-storage-echo/blob/master/src/android/AbstractRSA.java#L104

but what exactly the cause is and what the exception exactly says we don't know. because it's very hard to reproduce and weren't able to debug it.

[pvsantosh]

@BorntraegerMarc After we move to production considering this is not a serious blocker, many users reported that they are seeing a black screen of death after the passcode/biometric screen. Did you find any alternate plugins with some control over things? Looks like this plugin is having many issues.

[BorntraegerMarc]

No, not really. Though I haven't heard nor seen any "black screen of death". This password reprompt doesn't happen a lot for us

[pvsantosh]

@BorntraegerMarc We did good debugging on the plugin. Identified that there is a line https://github.com/mibrito707/cordova-plugin-secure-storage-echo/blob/0631967b5db0c27d1a656e6064697ab3c3f947cf/src/android/SecureStorage.java#L26 which is responsible for asking for credentials for every 24 hours. And if you don't want to prompt the user to generate RSA encryption keys, you need to set to false here: https://github.com/mibrito707/cordova-plugin-secure-storage-echo/blob/0631967b5db0c27d1a656e6064697ab3c3f947cf/src/android/RSA.java#L48. It will be nice if the author responds saying if there is a specific reason to prompt the user to enter credentials. Otherwise we can fork the repo and make changes and use it in the project.

[BorntraegerMarc]

Nice one @pvsantosh ! I read a bit about this setUserAuthenticationRequired here: https://developer.android.com/reference/android/security/keystore/KeyGenParameterSpec.Builder.html#setUserAuthenticationRequired(boolean)

I have too little experience to say what the impact would be if we disable it completely. It seems to me that maybe security is a bit compromised however I've never been using an app that prompts my password to access the secure storage. Or at least I wasn't aware of it.

What I don't understand is why the device password prompt is random: It doesn't happen every 24 hours (like the DEFAULT_AUTHENTICATION_VALIDITY_TIME dictates). It happens to a small amount of users "sometimes". Definitely not every 24 hours.

[Stephane84]

Hello, same here, never seen this screen on dev, but some prod case happend. In samsung galaxy tab s3 android 9, with a scheme

[leolio86400]

Did any of you find a solution or try to play with this to solve the issue ?

userAuthenticationValidityDuration - Sets the duration of time (seconds) for which the Private Encryption

[Stephane84]

I can't test this option because i'm using this plugin with ionic-native : https://ionicframework.com/docs/v3/native/secure-storage/, and it doesn't allow userAuthenticationValidityDuration Moreover, i can't reproduce the bug myself, it's only customer who send me a screenshot...

[leolio86400]

Update your ionic native plugin to target secure-storage-echo (it's in ionic too) https://www.npmjs.com/package/@ionic-native/secure-storage-echo

[Stephane84]

i'm using ionic3, it seems to be an ionic 5 native module

[leolio86400]

You still have solutions for that, create your own version of the ionic native plugin wrapper that need to be updated and use it instead of taking the remote. We were doing that in version 3 before the update and it works just fine.

Anyway, we are testing the userAuthenticationValidityDuration today, we managed to get a device with a similar bug (OPPO) will post here later today if it fixes the issue

[vitconte]

any news?

[leolio86400]

Somehow updating the plugin made it worse. We decided to move out from it and designed a server side solution to not require it, not ideal but this plugin was the root of so many issues...

[vitconte]

I got it. Thanks for the answer