No Two Biometrics (APIs) Are Alike // droidcon Lisbon 2025

No Two Biometrics (APIs) Are Alike Balázs Gerlei Josu Vergara
Lecue Expert Software Engineer Senior Software Engineer

nevis.net

Intro 1. Can two people have the same ﬁngerprint? 2.
If my phone has biometric unlock can it be used in any app? 3. If I use the androidx.biometric support library, can I use the same implementation on all devices?

• Key Pair based Protocol FIDO UAF Create Key Pair
Client-side Server-side Public Key User Authenticates Sign Data Store Public Key Validate Signature Private Key Public Key Signed Content Public Key

The Choice Between Libraries • System frameworks: ◦ android.hardware.fingerprint.FingerprintManager -
deprecated in Android 9 (API 28) ◦ android.hardware.biometrics.BiometricPrompt - introduced in Android 9 (API 28) • Jetpack androidx.biometric library • Vendor speciﬁc libraries (Samsung, Huawei, etc.) • FOSS library to wrap everything (caution advised): ◦ github.com/sergeykomlach/AdvancedBiometricPromptCompat

FingerprintManager • Only ﬁngerprint sensor • Doesn’t handle the UI
(custom code needed) • Android 6+ (API 23) • All the diﬀerent sensors: Face, Iris, Fingerprint… • Handles UI ◦ Displaying the prompt ◦ Reporting errors • Only Android 9+ (API 28) BiometricPrompt

Jetpack Biometric Library: A Holy Grail? • Built on top
of FingerprintManager and BiometricPrompt • Advantages: ◦ Supports diﬀerent type of sensors ◦ Provides a uniﬁed UI - even pre-Android 9 (API 28) ◦ Backward compatible • However: ◦ Last stable release from 2021 ◦ Can be buggy ◦ Actively changing - just added new API similar to ActivityResults developer.android.com/jetpack/androidx/releases/biometric

Fingerprint Face Iris • Check availability: packageManager.hasSystemFeature(PackageManager.FEATURE_FACE) • Even if
a sensor is available, it’s not necessarily usable (in apps) Type of Biometric Sensors on Android

Iris Sensors • Brieﬂy oﬀered by Samsung: ◦ Only usable
in apps on Galaxy S9, S9+ and Note 9 ◦ (S8 and Note 8 also had the sensor but no Biometric API) • All of these devices return false to packageManager.hasSystemFeature(PackageManager.FEATURE_IRIS) • Instead need to query a custom metadata (if it doesn’t throw an Exception): packageManager.getPackageInfo("com.samsung.android.server.iris", PackageManager.GET_META_DATA)

Face Sensors • Users unlocking their phone with face don’t
understand why they cannot authenticate with it in an app ◦ They blame the app - though it’s often out of the developer’s control ◦ You can allow less-precise (Face) sensors if you are willing to sacriﬁce on security ▪ Users are unlikely to understand the trade-oﬀ

Face Sensors • Only Samsung seem to support less-secure Face
auth in apps ◦ May be the only available sensor (i.e. tablets) ◦ In case of multiple sensors, users can choose between them • Pixel 4 & 4 XL had infrared-based Face sensor ◦ Only available sensor on these devices • Newer Pixels (since Pixel 8) also support Face auth in apps ◦ Still RGB camera-based but with AI “magic” ◦ They also have (under display) ﬁngerprint sensors ◦ Face authentication is a bypass

Biometric Classes security.googleblog.com/2020/09/lockscreen-and-authentication.html

Biometric Classes • A Class 3⃣ sensor can also act
as Class 2⃣ • All ﬁngerprint sensors seem to be Class 3⃣ • If there are multiple sensors, it cannot be determined which one falls to which Class • Even if a device has Face Unlock, it may not even be Class 2⃣ ◦ Meaning it cannot be used in apps (e.g. Pixel 7)

Biometric (?) Authenticators • Authenticators are grouped to: ◦ BiometricManager.Authenticators.BIOMETRIC_WEAK
(Class 2⃣) ◦ BiometricManager.Authenticators.BIOMETRIC_STRONG (Class 3⃣) ◦ BiometricManager.Authenticators.DEVICE_CREDENTIAL (Class❓) - only Android 11+ (API 30) • You can set what you allow, but you cannot force using one

BiometricPrompt - Example developer.android.com/identity/sign-in/biometric-auth val promptInfo = BiometricPrompt.PromptInfo.Builder() .setTitle("Biometric login
for my app") .setAllowedAuthenticators(BIOMETRIC_STRONG or BIOMETRIC_WEAK) .setNegativeButtonText("Cancel") .build() val biometricPrompt = BiometricPrompt( this, ContextCompat.getMainExecutor(this), object : BiometricPrompt.AuthenticationCallback() { override fun onAuthenticationSucceeded( result: BiometricPrompt.AuthenticationResult) { super.onAuthenticationSucceeded(result) } } ) biometricPrompt.authenticate(promptInfo)

BiometricPrompt and Key Protection • Android allows to protect keys
with authentication, using KeyGenParameterSpec.Builder.setUserAuthenticationRequired • Via CryptoObject from the Biometrics API ◦ A handle for the key material (Signature or Cipher) ◦ Only available with Class 3⃣ sensors ▪ A protected key cannot be accessed when the user authenticates with a Class 2⃣ sensor developer.android.com/identity/sign-in/biometric-auth

BiometricPrompt and Key Protection - Example developer.android.com/identity/sign-in/biometric-auth val promptInfo =
BiometricPrompt.PromptInfo.Builder() .setTitle("Please authenticate") .setAllowedAuthenticators(BIOMETRIC_STRONG or BIOMETRIC_WEAK) .setNegativeButtonText("Cancel") .build() val biometricPrompt = BiometricPrompt( this, ContextCompat.getMainExecutor(this), object : BiometricPrompt.AuthenticationCallback() { override fun onAuthenticationSucceeded( result: BiometricPrompt.AuthenticationResult) { super.onAuthenticationSucceeded(result) // Verify that result.cryptoobject is the same as the one provided to the prompt } } ) biometricPrompt.authenticate(promptInfo, BiometricPrompt.CryptoObject(cipher))

BiometricPrompt - Allowing Class 2⃣ • Use this with care:
◦ The sensor itself is less secure ◦ Can’t be used to protect credentials with user authentication developer.android.com/identity/sign-in/biometric-auth val promptInfo = BiometricPrompt.PromptInfo.Builder() .setTitle("Please authenticate") .setAllowedAuthenticators( BIOMETRIC_WEAK ) // This includes BIOMETRIC_STRONG .setNegativeButtonText("Cancel") .build()

BiometricPrompt - Device Passcode Fallback • Device Credentials can be
allowed as a fallback ◦ Android 11+ (API 30) developer.android.com/identity/sign-in/biometric-auth val promptInfo = BiometricPrompt.PromptInfo.Builder() .setTitle("Please authenticate") .setAllowedAuthenticators( DEVICE_CREDENTIAL ) // No biometrics involved .build() ◦ Users can choose to authenticate with PIN, Password or Pattern via a button in place of Cancel ▪ That’s why negative button text cannot be set if fallback is allowed

BiometricPrompt - Some Quirks • Diﬃcult to demo with physical
devices • The UIs lifecycle is coupled with the Activity / Fragment: ◦ Diﬃcult to know whether cancellation happened because the application has been backgrounded developer.android.com/identity/sign-in/biometric-auth

Biometric Bypass DEMO

Protecting Keys with Biometrics • FIDO UAF relies on public
key cryptography ◦ Transactions and authentication requests needs to be signed with the private key • The best is to protect these keys with Biometric authentication ◦ Requiring user authentication for each key access if possible • Considerations are basically the same even if you “only” protect some local data

Protecting Keys with Biometrics • Biometric authentication is (only) access
control, managed by Android ◦ Keys are in no way connected to biometric data ◦ Keys can be invalidated when a new (biometric) credential is added on Android 7+ (API 24) ◦ Or you can allow fallback to device credentials (Pin, Pattern or Password) These two cannot be set together

Protecting Keys with Biometrics • A timeout can be set
during which key access doesn’t require re-authentication ◦ Only applicable if you require user authentication ◦ A new prompt can still be shown, but be aware that after even just a device unlock the keys are accessible via code (e.g. using ) ◦ On some (older) Xiaomi devices requiring user authentication for key access doesn’t work without a timeout :(

Secure Key Storage • Trusted Execution Environment (TEE) - Android
6+ (API 23) ◦ It’s a Secure Element, meaning a completely separate hardware (CPU, memory, storage, true random generator…) and OS ◦ Only communicates with Android via messages • Keys stored in these cannot be retrieved even on rooted phones ◦ But they may be usable (e.g. if the malicious app can impersonate the target app) ◦ It’s a secure (virtual) environment (separate OS), running on the same processor as the main OS • StrongBox - Android 9+ (API 28)

Not all StrongBoxes created equal • Google provides a default
implementation but OEMs often roll their own - these sometimes have bugs: ◦ Samsung devices with Exynos chips cannot generate keys with SHA-512 signature ◦ Some Xiaomi devices (e.g. Xiaomi 14) cannot sign byte arrays longer than 256 bytes if user authentication is required • Requiring StrongBox severely limits compatibility ◦ Hard to ﬁnd a list of devices and it is seldom mentioned in specs ◦ Probably only possible to use it in best eﬀort mode

Verify StrongBox support • Can be checked via PackageManager: packageManager.hasSystemFeature(PackageManager.FEATURE_STRONGBOX_KEYSTORE)
• Can’t be sure without trying to create a key and then check whether it is stored in StrongBox: keyInfo=.securityLevel == KeyProperties.SECURITY_LEVEL_STRONGBOX

SecureStorageCapabilitiesInspector App • Test app that shows secure storage capabilities
of the device ◦ github.com/balazsgerlei/AndroidSecureStorageCapabilitiesInspector

Devices We Found to Support StrongBox • We’ve found the
following device that support StrongBox (be aware of limitations): ◦ Google Pixels, starting with Pixel 3 ◦ Samsung Galaxy S S20 and newer, Note 20 and newer ◦ Xiaomi 14 and 15 ◦ OnePlus 12 and 13 ◦ Motorola ThinkPhone, Edge 30 Ultra and Fusion, Edge 50 Ultra ◦ Solana Saga, Seeker • An (also) incomplete list of devices can be found here: ◦ android-device-security.org/database/?realMeasurementsOnly=true &show=Strongbox&sortBy=COUNT%20Lab%20Strongbox%20True

Key Attestation Key attestation gives you more conﬁdence that the
keys you use in your app are stored in a device's hardware-backed keystore. Key attestation aims to provide a way to strongly determine if an asymmetric key pair is hardware-backed, what the properties of the key are, and what constraints are applied to its usage. developer.android.com/privacy-and-security/security-key-attestation

Key Attestation • Introduced with Android 7 (API 24) developer.android.com/privacy-and-security/security-key-attestation
• Only mandatory since Android 8 (API 26)

Key Attestation - Key Creation KeyGenParameterSpec.Builder .setAttestationChallenge Public + Private
Key Intermediate Certificates Certificate with Public Key Google Root Certificate Key Pair Certificate (Chain) X.509 Extensions developer.android.com/privacy-and-security/security-key-attestation AndroidKeystoreAttestation VerificationAttributes keyStore .getCertificateChain

Key Attestation - Validation • Verify Certificate Chain Integrity •
Verify Root Certificate is a Google Root Certificate • Checks using the information in the certificate extension: ◦ Boot state is verified ◦ The device bootloader is (un)locked ◦ The Keymaster version ◦ The Keymaster security level: SOFTWARE, TRUSTED_ENVIRONMENT or STRONGBOX ◦ Verify developer certificate signature ◦ Verify package name of the application developer.android.com/privacy-and-security/security-key-attestation

Key Attestation - Validation Result: What It Means • The
key is generated in a Google certiﬁed chipset • Type of key storage (TEE, StrongBox) • The key is unique • Non Rooted Device (?) developer.android.com/privacy-and-security/security-key-attestation

Key Attestation - Validation Result: What It Means • The
key is generated in a Google certiﬁed chipset • Type of key storage (TEE, StrongBox) • The key is unique • Non Rooted Device (?) ◦ Not necessarily (can be spoofed) developer.android.com/privacy-and-security/security-key-attestation

Key Attestation - Validation Result: What It Means • If
a device fails attestation, it probably either: ◦ Launched with Android 7.0 or older (and doesn't support hardware attestation) ▪ In this case, Android has a software implementation of attestation, producing the same sort of attestation certiﬁcate, but signed with a key hardcoded in Android source code. ◦ Isn't a Google Play certiﬁed device ▪ In that case, the device maker is free to create their own root and to make whatever claims they like about what the attestation means. developer.android.com/privacy-and-security/security-key-attestation

Key Attestation - Limitations / Issues • This is not
Application Attestation: ◦ Doesn’t guarantee that the client is a published app in the Play Store • A “snapshot” of the device state ◦ At the time of the key creation • Not all devices support Key Attestation developer.android.com/privacy-and-security/security-key-attestation

Android Key Attestation Veriﬁer Library • Google has a Kotlin
library for implementing Key Attestation: ◦ github.com/android/keyattestation

Takeaways • Choose the library that works best for you
• Don’t assume all devices work the same ◦ Be aware of implementation diﬀerences (Biometrics API, StrongBox, etc.) • Make sure to use a CryptoObject with the BiometricPrompt ◦ Validate the returned CryptoObject and actually use it to encrypt/decrypt or sign some data • Require user authentication for each key access (if possible) • Use Key Attestation to verify secure key storage server-side

Answers 1. Can two people have the same fingerprint? ◦
Yes, there are cases of different people with the same fingerprint 2. If my phone has biometric unlock can it be used in any app? ◦ Not necessarily (e.g. Class 1⃣ and 2⃣ Face Unlock) 3. If I use the androidx.biometric support library, can I use the same code on all devices? ◦ At the very least you need to be aware of the differences

Obrigado! Thank you! speakerdeck.com/balazsgerlei

No Two Biometrics (APIs) Are Alike // droidcon ...

No Two Biometrics (APIs) Are Alike // droidcon Lisbon 2025

More Decks by Balázs Gerlei

Other Decks in Programming

Featured

Transcript