Do not use this library in sensitive applications

[TheDauntless]

This library does not correctly implement fingerprint authentication. It simply verifies that a client can pass the challenge or not. As this is a client-side check, this can easily be bypassed by tampering with the application on a rooted / jailbroken device. The correct way to do it is to:

• Create a key that is protected with the fingerprint using setUserAuthenticationRequired and then use this key to decrypt specific data (Android).
• Create a Keychain item with the biometricAny flag and use the data of that Keychain item to continue the authentication flow (iOS)

Using this library will automatically have your application store data insecurely, as it will be stored somewhere in the application sandbox without proper encryption. This means it will be possible to extract this data from a stolen device, or it might even make it into Android / iTunes backups.

Fingerprints are backed by a hardware element that provides cryptographic operations to securely use it. When you don't use the cryptographic operations, the protection is only a fraction of what it could/should be.

See MSTG - Local authentication for more info.

[SaeedZhiany]

@TheDauntless Thanks for your information. it seems you have more specific knowledge about fingerprint authentication.

I have a question and a request:

1) is there a similar problem with iOS implementation? 2) The library maintainers suggest to using LocalAuthentication due to lack of actively maintaining. can you please check if a similar problem exists in that library too? here is LocalAuthentication Github repositoy

Thanks

[Alhyoss]

Hi @SaeedZhiany ,

1. The issue applies to both the Android and iOS implementation. For more information about iOS secure biometric authentication, see MSTG - iOS Local Authentication.
2. The LocalAuthentication library also appears to suffer from this issue, as well as the following libraries: react-native-fingerprint-scanner, react-native-fingerprint-android.

react-native-biometrics would be one that does provide support for secure fingerprint authentication, using the createSignature() method.