Upgrade to PRO for Only $50/Year—Limited-Time Offer! 🔥

Overview of Biometric Auth

Avatar for Michael Bailey Michael Bailey
October 24, 2019
Programming
0
110

Overview of Biometric Auth

Avatar for Michael Bailey

Michael Bailey

October 24, 2019
Tweet

More Decks by Michael Bailey

See All by Michael Bailey
Ahmed Gad and Michael Bailey: Using Google Cloud Test Lab to improve the quality of Android apps: A case study from Amex
Avatar for Michael Bailey yogurtearl
2
570

Other Decks in Programming

See All in Programming
Developing static sites with Ruby
Avatar for Masafumi Okura okuramasafumi
0
330
re:Invent 2025 トレンドからみる製品開発への AI Agent 活用
Avatar for Kohei Yoshikawa yoskoh
0
430
ゲームの物理 剛体編
Avatar for Fadis fadis
0
370
AI Agent Tool のためのバックエンドアーキテクチャを考える #encraft
Avatar for izumin5210 izumin5210
4
1.3k
AIコーディングエージェント(Manus)
Avatar for kondai kondai24
0
220
実はマルチモーダルだった。ブラウザの組み込みAI🧠でWebの未来を感じてみよう #jsfes #gemini
Avatar for n0bisuke n0bisuke2
3
1.3k
愛される翻訳の秘訣
Avatar for Kishikawa Katsumi kishikawakatsumi
3
350
AI Agent Dojo #4: watsonx Orchestrate ADK体験
Avatar for Akira Onishi (IBM) oniak3ibm
PRO
0
110
Patterns of Patterns
Avatar for Denys Poltorak denyspoltorak
0
350
Combinatorial Interview Problems with Backtracking Solutions - From Imperative Procedural Programming to Declarative Functional Programming - Part 2
Avatar for Philip Schwarz philipschwarz
PRO
0
120
Context is King? 〜Verifiability時代とコンテキスト設計 / Beyond "Context is King"
Avatar for r-kagaya rkaga
10
1.4k
生成AI時代を勝ち抜くエンジニア組織マネジメント
Avatar for coconala_engineer coconala_engineer
0
19k

Featured

See All Featured
Done Done
Avatar for chrislema chrislema
186
16k
The agentic SEO stack - context over prompts
Avatar for schlessera schlessera
0
560
How to Align SEO within the Product Triangle To Get 
Buy-In & Support - #RIMC
Avatar for Aleyda Solis aleyda
1
1.3k
Marketing Yourself as an Engineer | Alaka | Gurzu
Avatar for Gurzu gurzu
0
91
Understanding Cognitive Biases in Performance Measurement
Avatar for Philip Tellis bluesmoon
32
2.8k
Fight the Zombie Pattern Library - RWD Summit 2016
Avatar for Marcelo Somers marcelosomers
234
17k
Building AI with AI
Avatar for Ines Montani inesmontani
PRO
1
570
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
Avatar for soudai sone soudai
PRO
196
70k
10 Git Anti Patterns You Should be Aware of
Avatar for Lemi Orhan Ergin lemiorhan
PRO
659
61k
The Limits of Empathy - UXLibs8
Avatar for Cassini Nazir cassininazir
1
190
How to optimise 3,500 product descriptions for ecommerce in one day using ChatGPT
Avatar for Katarina Dahlin katarinadahlin
PRO
0
3.4k
Why Our Code Smells
Avatar for Brandon Keepers bkeepers
PRO
340
57k

Transcript

  1. OVERVIEW OF BIOMETRIC AUTH MICHAEL BAILEY PRINCIPAL ENGINEER AT AMERICAN

    EXPRESS @YOGURTEARL

  2. https://americanexpress.io/android-jobs

  3. NOT SECURITY ADVICE Information in this talk should not be

    taken as security advice.The security needs of every application are different. Consult an InfoSec professional when designing and implementing security for your application.

  4. BIOMETRIC AUTH

  5. “LEGACY” FINGERPRINT MANAGER APIS - API 23+ package android.hardware.fingerprint; public

    class FingerprintManager { public boolean isHardwareDetected() public boolean hasEnrolledFingerprints() public void authenticate(@Nullable CryptoObject crypto, @Nullable CancellationSignal cancel, int flags, @NonNull AuthenticationCallback callback, Handler handler) }

  6. “LEGACY” FINGERPRINT MANAGER APIS - API 23+ <manifest xmlns:android="http:!"schemas.android.com/apk/res/android"> <uses-permission

    android:name="android.permission.USE_FINGERPRINT"#$ %&manifest>

  7. “LEGACY” FINGERPRINT MANAGER APIS - API 23+ val fp: FingerprintManager

    = requireContext() .getSystemService(FingerprintManager'(class.java)

  8. “LEGACY” FINGERPRINT MANAGER APIS - API 23+ if (Build.VERSION.SDK_INT )*

    23) { val fp: FingerprintManager = requireContext() .getSystemService(FingerprintManager'(class.java) … }

  9. “LEGACY” FINGERPRINT MANAGER APIS - API 23+ package android.hardware.fingerprint; public

    class FingerprintManager { public boolean isHardwareDetected() public boolean hasEnrolledFingerprints() public void authenticate(@Nullable CryptoObject crypto, @Nullable CancellationSignal cancel, int flags, @NonNull AuthenticationCallback callback, Handler handler) } public boolean isHardwareDetected()

  10. “LEGACY” FINGERPRINT MANAGER APIS - API 23+ if (Build.VERSION.SDK_INT )*

    23) { val fp: FingerprintManager = requireContext() .getSystemService(FingerprintManager'(class.java) if (fp.isHardwareDetected) { !" Some low end devices don’t have fingerprint sensor !" or sensor can’t be used to unlock keys } } if (fp.isHardwareDetected) { !" Some low end devices don’t have fingerprint sensor !" or sensor can’t be used to unlock keys

  11. “LEGACY” FINGERPRINT MANAGER APIS - API 23+ context.getPackageManager().hasSystemFeature(FEATURE_FINGERPRINT)

  12. “LEGACY” FINGERPRINT MANAGER APIS - API 23+ package android.hardware.fingerprint; public

    class FingerprintManager { public boolean isHardwareDetected() public boolean hasEnrolledFingerprints() public void authenticate(@Nullable CryptoObject crypto, @Nullable CancellationSignal cancel, int flags, @NonNull AuthenticationCallback callback, Handler handler) } public boolean hasEnrolledFingerprints()

  13. “LEGACY” FINGERPRINT MANAGER APIS - API 23+ if (Build.VERSION.SDK_INT )*

    23) { val fp: FingerprintManager = requireContext() .getSystemService(FingerprintManager'(class.java) if (fp.isHardwareDetected) { if (fp.hasEnrolledFingerprints()){ fp.authenticate(+,-) } else { !" tell user to go setup fingerprints in OS settings } } } if (fp.hasEnrolledFingerprints()){

  14. “LEGACY” FINGERPRINT MANAGER APIS - API 23+ Caused by: java.lang.SecurityException:

    Permission Denial: getCurrentUser() from pid=12045, uid=10028 r android.permission.INTERACT_ACROSS_USERS at android.os.Parcel.readException(Parcel.java:1620) at android.os.Parcel.readException(Parcel.java:1573) at android.hardware.fingerprint. IFingerprintService$Stub$Proxy.hasEnrolledFingerprints(IFingerpr at android.hardware.fingerprint. FingerprintManager.hasEnrolledFingerprints(FingerprintManager.ja java.lang.SecurityException: FingerprintManager.hasEnrolledFingerprints

  15. “LEGACY” FINGERPRINT MANAGER APIS - API 23+ if (Build.VERSION.SDK_INT )*

    23) { val fp: FingerprintManager = requireContext() .getSystemService(FingerprintManager'(class.java) if (fp.isHardwareDetected) { if (fp.hasEnrolledFingerprints()){ +,- } else { !" tell user to go setup fingerprints in OS settings } } } if (fp.hasEnrolledFingerprints()){ !" tell user to go setup fingerprints in OS settings

  16. “LEGACY” FINGERPRINT MANAGER APIS - API 23+ package android.hardware.fingerprint; public

    class FingerprintManager { public boolean isHardwareDetected() public boolean hasEnrolledFingerprints() public void authenticate(@Nullable CryptoObject crypto, @Nullable CancellationSignal cancel, int flags, @NonNull AuthenticationCallback callback, Handler handler) } public void authenticate(@Nullable CryptoObject crypto, @Nullable CancellationSignal cancel, int flags, @NonNull AuthenticationCallback callback, Handler handler)

  17. if (Build.VERSION.SDK_INT )* 23) { val fp: FingerprintManager = requireContext()

    .getSystemService(FingerprintManager'(class.java) if (fp.isHardwareDetected) { if (fp.hasEnrolledFingerprints()){ fp.authenticate(+,-) } else { !" tell user to go setup fingerprints in OS settings } } } fp.authenticate(+,-) “LEGACY” FINGERPRINT MANAGER APIS - API 23+

  18. “LEGACY” FINGERPRINT MANAGER APIS - API 23+ package android.hardware.fingerprint; public

    class FingerprintManager { public boolean isHardwareDetected() public boolean hasEnrolledFingerprints() public void authenticate(@Nullable CryptoObject crypto, @Nullable CancellationSignal cancel, int flags, @NonNull AuthenticationCallback callback, Handler handler) } public void authenticate(@Nullable CryptoObject crypto, @Nullable CancellationSignal cancel, int flags, @NonNull AuthenticationCallback callback, Handler handler)

  19. FingerprintDialogKotlin https://github.com/android/security-samples/tree/master/FingerprintDialogKotlin

  20. FingerprintDialogKotlin

  21. android.os.CancellationSignal package android.hardware.fingerprint; public class FingerprintManager { public boolean isHardwareDetected()

    public boolean hasEnrolledFingerprints() public void authenticate(@Nullable CryptoObject crypto, @Nullable CancellationSignal cancel, int flags, @NonNull AuthenticationCallback callback, Handler handler) } @Nullable CancellationSignal cancel,

  22. android.os.CancellationSignal val cancel = CancellationSignal() fp.authenticate(+,-, cancel,+,-) cancelButton.setOnClickListener { cancel.cancel()

    }

  23. FingerprintManager.authenticate() package android.hardware.fingerprint; public class FingerprintManager { public boolean isHardwareDetected()

    public boolean hasEnrolledFingerprints() public void authenticate(@Nullable CryptoObject crypto, @Nullable CancellationSignal cancel, int flags, @NonNull AuthenticationCallback callback, Handler handler) } int flags,

  24. FingerprintManager.authenticate() package android.hardware.fingerprint; public class FingerprintManager { public boolean isHardwareDetected()

    public boolean hasEnrolledFingerprints() public void authenticate(@Nullable CryptoObject crypto, @Nullable CancellationSignal cancel, int flags, @NonNull AuthenticationCallback callback, Handler handler) } Handler handler

  25. CryptoObject package android.hardware.fingerprint; public class FingerprintManager { public boolean isHardwareDetected()

    public boolean hasEnrolledFingerprints() public void authenticate(@Nullable CryptoObject crypto, @Nullable CancellationSignal cancel, int flags, @NonNull AuthenticationCallback callback, Handler handler) } @Nullable CryptoObject crypto

  26. CryptoObject package android.hardware.fingerprint; public class FingerprintManager { public static final

    class CryptoObject { public CryptoObject(@NonNull Signature signature) {…} public CryptoObject(@NonNull Cipher cipher) {…} public CryptoObject(@NonNull Mac mac) {…} public Signature getSignature() {…} public Cipher getCipher() {…} public Mac getMac() {…} } } public static final class CryptoObject { public CryptoObject(@NonNull Signature signature) {…} public CryptoObject(@NonNull Cipher cipher) {…} public CryptoObject(@NonNull Mac mac) {…} public java.security.Signature getSignature() {…} public javax.crypto.Cipher getCipher() {…} public javax.crypto.Mac getMac() {…} }

  27. FingerprintManager.authenticate() package android.hardware.fingerprint; public class FingerprintManager { public boolean isHardwareDetected()

    public boolean hasEnrolledFingerprints() public void authenticate(@Nullable CryptoObject crypto, @Nullable CancellationSignal cancel, int flags, @NonNull AuthenticationCallback callback, Handler handler) } @NonNull AuthenticationCallback callback

  28. FingerprintManager.authenticate() package android.hardware.fingerprint; public class FingerprintManager { public static abstract

    class AuthenticationCallback { public void onAuthenticationError(int errorCode, CharSequence errString) public void onAuthenticationHelp(int helpCode, CharSequence helpString) public void onAuthenticationFailed() public void onAuthenticationSucceeded(AuthenticationResult result) } } AuthenticationCallback onAuthenticationError

  29. FingerprintManager.authenticate() package android.hardware.fingerprint; public class FingerprintManager { public static abstract

    class AuthenticationCallback { public void onAuthenticationError(int errorCode, CharSequence errString) public void onAuthenticationHelp(int helpCode, CharSequence helpString) public void onAuthenticationFailed() public void onAuthenticationSucceeded(AuthenticationResult result) } } AuthenticationCallback onAuthenticationHelp

  30. FingerprintManager.authenticate() package android.hardware.fingerprint; public class FingerprintManager { public static abstract

    class AuthenticationCallback { public void onAuthenticationError(int errorCode, CharSequence errString) public void onAuthenticationHelp(int helpCode, CharSequence helpString) public void onAuthenticationFailed() public void onAuthenticationSucceeded(AuthenticationResult result) } } AuthenticationCallback onAuthenticationFailed

  31. FingerprintManager.authenticate() package android.hardware.fingerprint; public class FingerprintManager { public static abstract

    class AuthenticationCallback { public void onAuthenticationError(int errorCode, CharSequence errString) public void onAuthenticationHelp(int helpCode, CharSequence helpString) public void onAuthenticationFailed() public void onAuthenticationSucceeded(AuthenticationResult result) } } AuthenticationCallback onAuthenticationSucceeded(AuthenticationResult result)

  32. FingerprintManager.authenticate() package android.hardware.fingerprint; public class FingerprintManager { public static class

    AuthenticationResult { public CryptoObject getCryptoObject() } } public static class AuthenticationResult { public CryptoObject getCryptoObject() }

  33. CryptoObject package android.hardware.fingerprint; public class FingerprintManager { public static final

    class CryptoObject { public CryptoObject(@NonNull Signature signature) {…} public CryptoObject(@NonNull Cipher cipher) {…} public CryptoObject(@NonNull Mac mac) {…} public Signature getSignature() {…} public Cipher getCipher() {…} public Mac getMac() {…} } } public static final class CryptoObject { public CryptoObject(@NonNull Signature signature) {…} public CryptoObject(@NonNull Cipher cipher) {…} public CryptoObject(@NonNull Mac mac) {…} public java.security.Signature getSignature() {…} public javax.crypto.Cipher getCipher() {…} public javax.crypto.Mac getMac() {…} }

  34. AndroidX FingerprintManagerCompat package androidx.core.hardware.fingerprint; public class FingerprintManagerCompat { … }

    implementation "androidx.core:core:$androidx_core_version"

  35. AndroidX FingerprintManagerCompat package androidx.core.hardware.fingerprint; public class FingerprintManagerCompat { … }

    DEPRECATED implementation "androidx.core:core:$androidx_core_version"

  36. BIOMETRIC PROMPT APIS - API 28+ package android.hardware.biometrics; public class

    BiometricPrompt { public static class Builder { public Builder(Context) public Builder setTitle(CharSequence) public Builder setSubtitle(CharSequence) public Builder setDescription(CharSequence) public Builder setNegativeButton(CharSequence) public Builder setConfirmationRequired(boolean) !" API 29 public Builder setDeviceCredentialAllowed(boolean) !" API 29 public BiometricPrompt build() } public void authenticate(@NonNull CryptoObject crypto, @NonNull CancellationSignal cancel, @NonNull Executor executor, @NonNull AuthenticationCallback callback) }

  37. BIOMETRIC PROMPT APIS - API 28+ package android.hardware.biometrics; public class

    BiometricPrompt { public static class Builder { public Builder(Context) public Builder setTitle(CharSequence) public Builder setSubtitle(CharSequence) public Builder setDescription(CharSequence) public Builder setNegativeButton(CharSequence) public Builder setConfirmationRequired(boolean) public Builder setDeviceCredentialAllowed(boolean) public BiometricPrompt build() } public void authenticate(@NonNull CryptoObject crypto, @NonNull CancellationSignal cancel, @NonNull Executor executor, @NonNull AuthenticationCallback callback) } public BiometricPrompt build()

  38. BIOMETRIC PROMPT APIS - API 28+ package android.hardware.biometrics; public class

    BiometricPrompt { public static class Builder { public Builder(Context) public Builder setTitle(CharSequence) public Builder setSubtitle(CharSequence) public Builder setDescription(CharSequence) public Builder setNegativeButton(CharSequence) public Builder setConfirmationRequired(boolean) public Builder setDeviceCredentialAllowed(boolean) public BiometricPrompt build() } public void authenticate(@NonNull CryptoObject crypto, @NonNull CancellationSignal cancel, @NonNull Executor executor, @NonNull AuthenticationCallback callback) } @NonNull Executor executor, authenticate(

  39. BIOMETRIC PROMPT APIS - API 28+ package android.hardware.biometrics; public class

    BiometricPrompt { public static class Builder { public Builder(Context) public Builder setTitle(CharSequence) public Builder setSubtitle(CharSequence) public Builder setDescription(CharSequence) public Builder setNegativeButton(CharSequence) public Builder setConfirmationRequired(boolean) public Builder setDeviceCredentialAllowed(boolean) public BiometricPrompt build() } public void authenticate(@NonNull CryptoObject crypto, @NonNull CancellationSignal cancel, @NonNull Executor executor, @NonNull AuthenticationCallback callback) } authenticate(

  40. BIOMETRIC PROMPT APIS - API 28+ package android.hardware.biometrics; public class

    BiometricPrompt { public static class Builder { public Builder(Context) public Builder setTitle(CharSequence) public Builder setSubtitle(CharSequence) public Builder setDescription(CharSequence) public Builder setNegativeButton(CharSequence) public Builder setConfirmationRequired(boolean) !" API 29+ public Builder setDeviceCredentialAllowed(boolean) !" API 29+ public BiometricPrompt build() } public void authenticate(@NonNull CryptoObject crypto, @NonNull CancellationSignal cancel, @NonNull Executor executor, @NonNull AuthenticationCallback callback) }

  41. BIOMETRIC PROMPT APIS - API 29+ package android.hardware.biometrics; public class

    BiometricManager { @IntDef({BIOMETRIC_SUCCESS, BIOMETRIC_ERROR_HW_UNAVAILABLE, BIOMETRIC_ERROR_NONE_ENROLLED, BIOMETRIC_ERROR_NO_HARDWARE}) @interface BiometricError {} public @BiometricError int canAuthenticate() }

  42. BIOMETRIC PROMPT APIS if (VERSION.SDK_INT )* VERSION_CODES.Q) { val biometricManager

    = this.getSystemService(BiometricManager'(class.java) when (biometricManager.canAuthenticate()) { !" Suppress biometric UI BIOMETRIC_ERROR_NO_HARDWARE, BIOMETRIC_ERROR_HW_UNAVAILABLE ./ suppressBiometrics() !" ask user to Enroll BIOMETRIC_ERROR_NONE_ENROLLED ./ startActivity(Intent(ACTION_FINGERPRINT_ENROLL)) !" Use biometrics BIOMETRIC_SUCCESS ./ { val biometricPrompt = BiometricPrompt.Builder(this) .setTitle("Login") .build() biometricPrompt.authenticate(+,-) } } }

  43. CHALLENGES • FingerprintManager • API 23+ • No UI provided

    • no Iris or Face Auth • BiometricPrompt • API 28+ • Provides a UI • BiometricManager.canAuthenticate() only API 29+

  44. androidx.biometric - API 14+ implementation "androidx.biometric:biometric:1.0.0-rc02"

  45. androidx.biometric - API 14+ val biometricManager = BiometricManager.from(context) when (biometricManager.canAuthenticate())

    { !" Suppress biometric UI BIOMETRIC_ERROR_NO_HARDWARE, BIOMETRIC_ERROR_HW_UNAVAILABLE ./ suppressBiometrics() !" ask user to Enroll BIOMETRIC_ERROR_NONE_ENROLLED ./ startActivity(Intent(ACTION_FINGERPRINT_ENROLL)) !" Use biometrics BIOMETRIC_SUCCESS ./ { val promptInfo = BiometricPrompt.PromptInfo.Builder() .setTitle("Login") .build() val biometricPrompt = BiometricPrompt(fragmentActivity, executor, authenticationCallback) biometricPrompt.authenticate(promptInfo, cryptoObject) } } BiometricManager.from(context)

  46. androidx.biometric - API 14+ val biometricManager = BiometricManager.from(context) when (biometricManager.canAuthenticate())

    { !" Suppress biometric UI BIOMETRIC_ERROR_NO_HARDWARE, BIOMETRIC_ERROR_HW_UNAVAILABLE ./ suppressBiometrics() !" ask user to Enroll BIOMETRIC_ERROR_NONE_ENROLLED ./ startActivity(Intent(ACTION_FINGERPRINT_ENROLL)) !" Use biometrics BIOMETRIC_SUCCESS ./ { val promptInfo = BiometricPrompt.PromptInfo.Builder() .setTitle("Login") .build() val biometricPrompt = BiometricPrompt(fragmentActivity, executor, authenticationCallback) biometricPrompt.authenticate(promptInfo, cryptoObject) } } biometricManager.canAuthenticate()

  47. androidx.biometric - API 14+ val biometricManager = BiometricManager.from(context) when (biometricManager.canAuthenticate())

    { !" Suppress biometric UI BIOMETRIC_ERROR_NO_HARDWARE, BIOMETRIC_ERROR_HW_UNAVAILABLE ./ suppressBiometrics() !" ask user to Enroll BIOMETRIC_ERROR_NONE_ENROLLED ./ startActivity(Intent(ACTION_FINGERPRINT_ENROLL)) !" Use biometrics BIOMETRIC_SUCCESS ./ { val promptInfo = BiometricPrompt.PromptInfo.Builder() .setTitle("Login") .build() val biometricPrompt = BiometricPrompt(fragmentActivity, executor, authenticationCallback) biometricPrompt.authenticate(promptInfo, cryptoObject) } } BiometricPrompt.PromptInfo.Builder()

  48. androidx.biometric - API 14+ val biometricManager = BiometricManager.from(context) when (biometricManager.canAuthenticate())

    { !" Suppress biometric UI BIOMETRIC_ERROR_NO_HARDWARE, BIOMETRIC_ERROR_HW_UNAVAILABLE ./ suppressBiometrics() !" ask user to Enroll BIOMETRIC_ERROR_NONE_ENROLLED ./ startActivity(Intent(ACTION_FINGERPRINT_ENROLL)) !" Use biometrics BIOMETRIC_SUCCESS ./ { val promptInfo = BiometricPrompt.PromptInfo.Builder() .setTitle("Login") .build() val biometricPrompt = BiometricPrompt(fragmentActivity, executor, authenticationCallback) biometricPrompt.authenticate(promptInfo, cryptoObject) } } BiometricPrompt(fragmentActivity,

  49. androidx.biometric - API 14+ val biometricManager = BiometricManager.from(context) when (biometricManager.canAuthenticate())

    { !" Suppress biometric UI BIOMETRIC_ERROR_NO_HARDWARE, BIOMETRIC_ERROR_HW_UNAVAILABLE ./ suppressBiometrics() !" ask user to Enroll BIOMETRIC_ERROR_NONE_ENROLLED ./ startActivity(Intent(ACTION_FINGERPRINT_ENROLL)) !" Use biometrics BIOMETRIC_SUCCESS ./ { val promptInfo = BiometricPrompt.PromptInfo.Builder() .setTitle("Login") .build() val biometricPrompt = BiometricPrompt(fragmentActivity, executor, authenticationCallback) biometricPrompt.authenticate(promptInfo, cryptoObject) } } biometricPrompt.authenticate(

  50. API 23 API 29

  51. None

  52. API 28 API 28 API 28

  53. hasSystemFeature() !" API 24 context.getPackageManager().hasSystemFeature(FEATURE_FINGERPRINT) !" API 29 context.getPackageManager().hasSystemFeature(FEATURE_IRIS) !"

    API 29 context.getPackageManager().hasSystemFeature(FEATURE_FACE)

  54. CryptoObject package android.hardware.fingerprint; public class FingerprintManager { public static final

    class CryptoObject { public CryptoObject(@NonNull Signature signature) {…} public CryptoObject(@NonNull Cipher cipher) {…} public CryptoObject(@NonNull Mac mac) {…} public Signature getSignature() {…} public Cipher getCipher() {…} public Mac getMac() {…} } } public static final class CryptoObject { public CryptoObject(@NonNull Signature signature) {…} public CryptoObject(@NonNull Cipher cipher) {…} public CryptoObject(@NonNull Mac mac) {…} public java.security.Signature getSignature() {…} public javax.crypto.Cipher getCipher() {…} public javax.crypto.Mac getMac() {…} }

  55. KeyGenParameterSpec val keyGenerator = KeyGenerator.getInstance(KEY_ALGORITHM_AES, "AndroidKeyStore") keyGenerator.init( Builder("BiometricKey", KeyProperties.PURPOSE_ENCRYPT or

    KeyProperties.PURPOSE_DECRYPT) .setBlockModes(KeyProperties.BLOCK_MODE_GCM) .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_NONE) .setUserAuthenticationRequired(true) .setInvalidatedByBiometricEnrollment(true) !" API 24+ .build()) keyGenerator.generateKey()

  56. KeyGenParameterSpec val keyGenerator = KeyGenerator.getInstance(KEY_ALGORITHM_AES, "AndroidKeyStore") keyGenerator.init( Builder("BiometricKey", KeyProperties.PURPOSE_ENCRYPT or

    KeyProperties.PURPOSE_DECRYPT) .setBlockModes(KeyProperties.BLOCK_MODE_GCM) .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_NONE) .setUserAuthenticationRequired(true) .setInvalidatedByBiometricEnrollment(true) !" API 24+ .build()) keyGenerator.generateKey() "AndroidKeyStore"

  57. KeyGenParameterSpec val keyGenerator = KeyGenerator.getInstance(KEY_ALGORITHM_AES, "AndroidKeyStore") keyGenerator.init( Builder("BiometricKey", KeyProperties.PURPOSE_ENCRYPT or

    KeyProperties.PURPOSE_DECRYPT) .setBlockModes(KeyProperties.BLOCK_MODE_GCM) .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_NONE) .setUserAuthenticationRequired(true) .setInvalidatedByBiometricEnrollment(true) !" API 24+ .build()) keyGenerator.generateKey() "BiometricKey"

  58. KeyGenParameterSpec val keyGenerator = KeyGenerator.getInstance(KEY_ALGORITHM_AES, "AndroidKeyStore") keyGenerator.init( Builder("BiometricKey", KeyProperties.PURPOSE_ENCRYPT or

    KeyProperties.PURPOSE_DECRYPT) .setBlockModes(KeyProperties.BLOCK_MODE_GCM) .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_NONE) .setUserAuthenticationRequired(true) .setInvalidatedByBiometricEnrollment(true) !" API 24+ .build()) keyGenerator.generateKey() .setUserAuthenticationRequired(true)

  59. KeyGenParameterSpec val keyGenerator = KeyGenerator.getInstance(KEY_ALGORITHM_AES, "AndroidKeyStore") keyGenerator.init( Builder("BiometricKey", KeyProperties.PURPOSE_ENCRYPT or

    KeyProperties.PURPOSE_DECRYPT) .setBlockModes(KeyProperties.BLOCK_MODE_GCM) .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_NONE) .setUserAuthenticationRequired(true) .setInvalidatedByBiometricEnrollment(true) !" API 24+ .build()) keyGenerator.generateKey() .setInvalidatedByBiometricEnrollment(true)

  60. KeyGenParameterSpec val keyGenerator = KeyGenerator.getInstance(KEY_ALGORITHM_AES, "AndroidKeyStore") keyGenerator.init( Builder("BiometricKey", KeyProperties.PURPOSE_ENCRYPT or

    KeyProperties.PURPOSE_DECRYPT) .setBlockModes(KeyProperties.BLOCK_MODE_GCM) .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_NONE) .setUserAuthenticationRequired(true) .setInvalidatedByBiometricEnrollment(true) !" API 24+ .build()) keyGenerator.generateKey() .generateKey()

  61. KeyGenParameterSpec val keyGenerator = KeyGenerator.getInstance(KEY_ALGORITHM_AES, "AndroidKeyStore") keyGenerator.init( Builder("BiometricKey", KeyProperties.PURPOSE_ENCRYPT or

    KeyProperties.PURPOSE_DECRYPT) .setBlockModes(KeyProperties.BLOCK_MODE_GCM) .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_NONE) .setUserAuthenticationRequired(true) .setInvalidatedByBiometricEnrollment(true) !" API 24+ .build()) keyGenerator.generateKey() .generateKey()

  62. CryptoObject val keyStore: KeyStore = KeyStore.getInstance("AndroidKeyStore") keyStore.load(null) 
 val key

    = keyStore.getKey("BiometricKey", null) as SecretKey val cipher: Cipher = Cipher.getInstance("AES/GCM/NoPadding") cipher.init(Cipher.DECRYPT_MODE, key) 
 val cryptoObject = BiometricPrompt.CryptoObject(cipher) "AndroidKeyStore"

  63. CryptoObject val keyStore: KeyStore = KeyStore.getInstance("AndroidKeyStore") keyStore.load(null) 
 val key

    = keyStore.getKey("BiometricKey", null) as SecretKey val cipher: Cipher = Cipher.getInstance("AES/GCM/NoPadding") cipher.init(Cipher.DECRYPT_MODE, key) 
 val cryptoObject = BiometricPrompt.CryptoObject(cipher) "BiometricKey"

  64. CryptoObject val keyStore: KeyStore = KeyStore.getInstance("AndroidKeyStore") keyStore.load(null) 
 val key

    = keyStore.getKey("BiometricKey", null) as SecretKey val cipher: Cipher = Cipher.getInstance("AES/GCM/NoPadding") cipher.init(Cipher.DECRYPT_MODE, key) 
 val cryptoObject = BiometricPrompt.CryptoObject(cipher) key key cipher cipher cryptoObject

  65. Key Attestation https://developer.android.com/training/articles/security-key-attestation 1. Key Storage: Software, TrustedEnvironment, StrongBox 2.

    User Authentication Type

  66. FILE BUGS! https://issuetracker.google.com/issues/new?component=559537

  67. DOCS • Authenticating to remote servers using the Fingerprint API

    • https://android-developers.googleblog.com/2015/10/new-in-android-samples-authenticating.html • FingerprintManager Sample: • https://github.com/android/security-samples/tree/master/FingerprintDialogKotlin • Warning, always use CryptoObject, despite the example in this doc -> • https://developer.android.com/training/sign-in/biometric-auth • BiometricPrompt Sample: • https://android.googlesource.com/platform/frameworks/support/+/refs/ heads/androidx-master-dev/samples/BiometricDemos/

  68. BIOMETRIC AUTH IMPORTANT TAKE AWAYS • Use androidx.biometric • Always

    use CryptoObject • Consult with InfoSec Professionals

  69. THANKS https://americanexpress.io/android-jobs

  70. Code samples are 
 Copyright The Android Open Source Project

    And Licensed under the Apache License, Version 2.0