Use without requesting biometrics on Android

oblador / react-native-keychain

:key: Keychain Access for React Native

MIT License

3.21k stars 520 forks source link

Use without requesting biometrics on Android #316

Open nickmccomb opened 4 years ago

nickmccomb commented 4 years ago

While iOS accessControl defaults to None, Android defaults to BIOMETRY_ANY. It seems accessControl doesn't have a value for no biometrics, so i can't find out how to set Android to None.

How can i set Android accessControl to None so that the user doesn't have to do any biometrics to access our values stored in Keychain?

puskin94 commented 4 years ago

I have a similar issue:

I'm trying to set the password using something like this:

await Keychain.setGenericPassword(
            'glasnost',
            JSON.stringify({...dataInTheKeychain, [path]: data}),
            {
                accessible: Keychain.ACCESSIBLE.WHEN_UNLOCKED,
                rules: Keychain.SECURITY_RULES.NONE
            }
        );

but when I try to get the data back with:

const data = await Keychain.getGenericPassword({rules: Keychain.SECURITY_RULES.NONE});

the function throws the error [Error: accessControl]

It kinda looks like the settings are not considered. Any idea?

ssshen commented 4 years ago

The same issue. I use early version, it does not contain requesting biometrics, and now I upgrade to latest version, it requesting biometrics when i read data from keychain. How can i disable requesting biometrics?

nonewcode commented 4 years ago

For now the best thing to do would probably be downgrade.

PaulRolland68 commented 4 years ago

Have you tried :

 const options = Platform.OS === "ios" 
   ? {} 
   : { accessControl: Keychain.ACCESS_CONTROL.APPLICATION_PASSWORD, rules: Keychain.SECURITY_RULES.NONE }

// Keychain.setGenericPassword(..., ..., options)
// Keychain.getGenericPassword(options)
// Keychain.resetGenericPassword(options)

as an option parameter ?

It does work fine for me when using this.

Bardiamist commented 4 years ago

Will Keychain.ACCESS_CONTROL.APPLICATION_PASSWORD work without Keychain.SECURITY_RULES.NONE? I tried and so far it works

PaulRolland68 commented 4 years ago

Haven't tried it myself, but I guess it should work. I'll try it out on my side and confirm it if it works.

antonsokolow commented 4 years ago

Keychain.setInternetCredentials(
    'server',
    username,
    password,
    { accessControl: 'none' }
  );

works for me and this trick doesn't work with Keychain.setGenericPassword.

kadiryaka commented 4 years ago

Thanks thanks and thanks @PaulRolland68

SudoPlz commented 4 years ago

So yeah, to sum this up, the solution is this:

const noBiometricsConfig = Platform.select({
  android: {
    accessControl: Keychain.ACCESS_CONTROL.APPLICATION_PASSWORD,
  },
  ios: {}
});

(No need for Keychain.SECURITY_RULES.NONE) which looks weird, since application password is not supported on Android and on iOS that leaves us vulnerable to future default ACCESS_CONTROL value changes.

There should be an ACCESS_CONTROL.NO_BIOMETRICS option. Is there any specific reason that isn't a thing?

AlphaJuliettOmega commented 3 years ago

This is a weird thread.

Searching on duckduckgo for react-native-keychain ACCESS_CONTROL.none I found this commit: https://github.com/oblador/react-native-keychain/commit/add90c57695586c0d5b7e903fbc1acbea918a9c9

Could it be that the changes to keychain get/set were never tested on Android devices, and that's why we're where we are today? (I see changes to iOs manifest files in said commit but seemingly no android changes)

(Biometrics fails consistently for Android, or retrieves 'successfully' with blank credentials unless workaround disabling security above is applied)