Android devices pass through biometric authentication even with passcode on unlock

[MikaelCompile]

Hello!

So it seems that android devices pass through the authentication event from unlocking the phone. The issue right now is that we use biometrics to lock our app, but it doesn't seem to care wether we use fingerprint or device password to open the device, everything seems to just pass through and unlock our app as well. (provided the app is at least the first thing active when unlocking).

Is there any way to exert some control over this behaviour?

[mstasiak92]

Hi,

I've come across the same behaviour when using RSA based storage.

It seems that the reason (at least on the surface level) is the following line: https://github.com/oblador/react-native-keychain/blob/6cafc99a26986772bc0fd30706db55877e103c3f/android/src/main/java/com/oblador/keychain/cipherStorage/CipherStorageKeystoreRsaEcb.java#L241

Is there any reason why the duration for user authentication validity is set strictly to 5? If there is no need for this setting to be fixed, how about making it configurable from React API?

@oblador If you need, I can submit PR with my suggestion.

[MikaelCompile]

Hi! Thank you, this looks great! If nothing else, we can patch the library in our app. It happens to be the same 5 seconds that i arrived to with my highly technical approach of counting in my heads each time before attempting it :)

Thanks again, this might be a life saver!

br. Mikael

[MikaelCompile]

.setUserAuthenticationValidityDurationSeconds(5) seems to deprecated in API 30, we ended up using the new method which takes two parameters: seconds and valid auth types.

We replaced the line with this:

• .setUserAuthenticationValidityDurationSeconds(5)
• .setUserAuthenticationParameters(5, KeyProperties.AUTH_BIOMETRIC_STRONG)

and now it doesn't just go through biometrics with the screen unlock unless you opened the device with biometrics.

[Vilinyexc]

The above mentioned solution didn't really last... Is there no way to disallow screen unlock to apply to the app? It doesn't seem to limit the options to biometrics at all, you can wizz past getGeneric or getInternetCredentials with whatever opened the phone and thats just unwanted behaviour. Scouring android resources and trying tweaks here and there and patching the library, but nothing seems to help. Does anyone have any sort of solution?

[sgal]

@Vilinyexc There is no reliable way to prevent Keystore unlock after user is authenticated by strong biometry or device credential. It is how the Keystore is implemented in Android.

What we could do to sort of hack it is to add an arbitrary call to BiometricPrompt.authenticate to force the biometric challenge on access. It would not change the fact that Keystore is already unlocked, but would fit your needs.

[Vilinyexc]

Sounds good to try, where would you implement it? We already change some parameters in the library so a bit more wouldn't be an issue.

[sgal]

@Vilinyexc You basically need to use the code in this catch block https://github.com/oblador/react-native-keychain/blob/master/android/src/main/java/com/oblador/keychain/cipherStorage/CipherStorageKeystoreRsaEcb.java#L141.

The change would be to run that code all the time, and not only in case of error. Make sure there is no infinite recursion though :)

[Vilinyexc]

Thank you! will have to try it out :)

[nicolas-meilan]

I find a solution for this issue, we need to ask always permissions on RSA decrypt.

https://github.com/oblador/react-native-keychain/pull/592

[Gguigre]

Thank you @nicolas-meilan this PR really helped us on my project :)

Can we merge this ? :D