EnricoMazzu
commented
5 years ago Hi pani7,
watching the source code i found this:
@TargetApi(Build.VERSION_CODES.M)
private KeyGenParameterSpec.Builder getKeyGenSpecBuilder(String service) {
return new KeyGenParameterSpec.Builder(
service,
KeyProperties.PURPOSE_DECRYPT | KeyProperties.PURPOSE_ENCRYPT)
.setBlockModes(ENCRYPTION_BLOCK_MODE)
.setEncryptionPaddings(ENCRYPTION_PADDING)
.setRandomizedEncryptionRequired(true)
//.setUserAuthenticationRequired(true) // Will throw InvalidAlgorithmParameterException if there is no fingerprint enrolled on the device
.setKeySize(ENCRYPTION_KEY_SIZE);
}as you can see the setUserAuthenticationRequired is currently disabled.
I'm afraid you will have to wait the merge of this pull request: 148
Without the setUserAuthenticationRequired, you can use the generated key (that lives in keystore) without the user authentication (technically you could use the key with the device locked).
From the security perspective, The key material is relative protected (because the private key leaves out of your process memory), but with hooking an attacker was able to use this key without the user authentication.
fendorio
OleksandrKucherenko
lancesnider
franconob
Hi, on ios after implementing basic example i get touchId prompt to authenticate with fingerprint to get data, but on android it just gets data and decrypts it without any prompt for fingerprint. I just get it immediately. Is this correct behavior? Should i implement fingerprint prompt for android separately with other library and then upon success auth get data from keystore?
Thanks for your help