Open TheDauntless opened 4 years ago
@TheDauntless Thanks for your information. it seems you have more specific knowledge about fingerprint authentication.
I have a question and a request:
1) is there a similar problem with iOS implementation? 2) The library maintainers suggest to using LocalAuthentication due to lack of actively maintaining. can you please check if a similar problem exists in that library too? here is LocalAuthentication Github repositoy
Thanks
Hi @SaeedZhiany ,
react-native-biometrics would be one that does provide support for secure fingerprint authentication, using the createSignature() method.
This library does not correctly implement fingerprint authentication. It simply verifies that a client can pass the challenge or not. As this is a client-side check, this can easily be bypassed by tampering with the application on a rooted / jailbroken device. The correct way to do it is to:
Using this library will automatically have your application store data insecurely, as it will be stored somewhere in the application sandbox without proper encryption. This means it will be possible to extract this data from a stolen device, or it might even make it into Android / iTunes backups.
Fingerprints are backed by a hardware element that provides cryptographic operations to securely use it. When you don't use the cryptographic operations, the protection is only a fraction of what it could/should be.
See MSTG - Local authentication for more info.