Detect changes in enrolled fingerprints

[koenvanzuijlen]

Is it possible to detect changes in the enrolled fingerprints (additions or deletions) and make the pop-up fail in this case?

I can't seem to find anything in the documentation about it.

Or is there any reason why this isn't needed for security?

[mjwheatley]

If you set userAuthRequired to true then the key will be invalidated if fingerprints are changed. The fingerprint auth dialog will not be displayed and will be redirected to use backup credentials to authenticate. Backup authentication will initiate a new secret key and re-enable fingerprint authentication.

[koenvanzuijlen]

Thanks for the quick reply, I have disabled backup in my settings. I don't want to use backup codes.

When I add the userAuthRequired to config it seems like nothing changed really, I can still decrypt my encrypted value after adding or removing a fingerprint on the phone.

Am I missing something?

[mjwheatley]

Did you uninstall and reinstall after changing the userAuthRequired param to true? If not, you should do this to ensure a new key has been generated with this setting.

[koenvanzuijlen]

Thanks again for responding, I didn't try uninstalling and reinstalling, but I did now and when I setup my fingerprint I can still decrypt afterwards after changing enrolled prints with userAuthRequired on true.

[mahesh0431]

@koenvanzuijlen is your issue solved? I am also facing the same issue, even if any new fingerprint is added, it is still decrypting...

[koenvanzuijlen]

@mahesh0431 Sadly I was not able to fix this problem or find an alternative plugin which does this.

[mahesh0431]

@koenvanzuijlen Thanks man.. Hope @mjwheatley will find the bug..

[mjwheatley]

This is what works for me:

Meteor.js

function isAvailableSuccess(isAvailable) {
    console.log("FingerprintAuth available: " + JSON.stringify(isAvailable));
    var cipherMode = Session.get("cipherMode");
    var username = $('#username').val();
    if (cipherMode === "encrypt") {
        var password = $('#password').val();
        FingerprintAuth.encrypt({
            clientId: "myAppName",
            username: username,
            password: password,
            disableBackup: true,
            userAuthRequired: true
        }, successCallback, errorCallback);
    } else if (cipherMode === "decrypt") {
        FingerprintAuth.decrypt({
            clientId: "myAppName",
            username: username,
            token: Session.get("token"),
            disableBackup: true,
            userAuthRequired: true
        }, successCallback, errorCallback);
    }
}

disableBackup set to true userAuthReuired set to true for both encrypt and decrypt

Testing on a Nexus 5 emulator (Android 6.0, API 23) using the default emulator launched from the command meteor run android Build number sdk_google_phone_x86_64-userdebug 6.0 MASTER 4088240 test-keys

1. Uninstalled my app.
2. Make sure 1 fingerprint is enrolled on the device (Add 1 or delete down to 1).
3. Installed my app.
4. Enter username and password and encrypt to get token.
5. Leave app, go to settings and enroll "Fingerprint 2"
6. Return to app and try to decrypt the token.

Result: Received error message INIT_CIPHER_FAILED

My sample project can be found here

[mjwheatley]

I just remembered that I committed my sample repo with a reference to a local copy of the cordova plugin. You will need to go to /app/.meteor/cordova-plugins and change the plugin to cordova-plugin-android-fingerprint-auth@1.4.3

[dushani88]

@mjwheatley I'm using version 1.4.3 and I'm still getting an ILLEGAL_BLOCK_SIZE_EXCEPTION if I try to use userAuthRequired: true with disableBackup: false. Any fixes for this?

[WuglyakBolgoink]

@dushani88 any updates here?