Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Overview of Biometric Auth

Avatar for Michael Bailey Michael Bailey
October 24, 2019
Programming
120
0

Overview of Biometric Auth

Avatar for Michael Bailey

Michael Bailey

October 24, 2019

More Decks by Michael Bailey

See All by Michael Bailey
Ahmed Gad and Michael Bailey: Using Google Cloud Test Lab to improve the quality of Android apps: A case study from Amex
Avatar for Michael Bailey yogurtearl
2
580

Other Decks in Programming

See All in Programming
Developing with AI Agents — Codex, Claude Code & Cowork Practical Guide
Avatar for Daisuke Masuda x5gtrn
PRO
0
1.3k
DynamoDBには集計系のクエリがないけどなんとかしたい
Avatar for 村上優稀 musan
1
180
Honoでのサプライチェーン侵害対策 〜 3つのライブラリに学ぶ
Avatar for Yusuke Wada yusukebe
7
1.4k
エンジニア向け会社紹介/Findy Company Profile
Avatar for Findy findyinc
6
350k
Signal Forms: Details & Live Coding @enterJS 2026 in Mannheim
Avatar for Manfred Steyer manfredsteyer
PRO
0
160
Spring Security 実践 ─ GraphQL APIで実務に役立つ 認証・認可 を学ぶ
Avatar for Wagyu wagyu
0
250
The NotImplementedError Problem in Ruby
Avatar for Koichi ITO koic
1
870
Language Server 使ってる? 〜VSCode と Zed の場合〜 / Are you using a Language Server? ~For VS Code and Zed~
Avatar for NAGATA Hiroaki handlename
0
800
Javaの型とAI時代に型が大事な理由 / java types and type in AI era
Avatar for Naoki Kishida kishida
2
150
依存関係から依存物へ―Dependencyという言葉の歴史をひも解く
Avatar for j_lee_inst j_lee
0
130
ふつうのFeature Flag実践入門
Avatar for irof irof
8
4.1k
Make SRE Operations Easier with Azure SRE Agent
Avatar for KAMEGAWA Kazushi kkamegawa
0
7.1k

Featured

See All Featured
The browser strikes back
Avatar for Jono Alderson jonoalderson
0
1.3k
AI: The stuff that nobody shows you
Avatar for John Nunemaker jnunemaker
PRO
8
720
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
Avatar for Vitaly Friedman smashingmag
254
22k
Introduction to Domain-Driven Design and Collaborative software design
Avatar for Kenny Baas-Schwegler baasie
1
860
SEO for Brand Visibility & Recognition
Avatar for Aleyda Solis aleyda
0
4.6k
Code Reviewing Like a Champion
Avatar for maltzj maltzj
528
40k
[RailsConf 2023] Rails as a piece of cake
Avatar for Vladimir Dementyev palkan
59
6.7k
Information Architects: The Missing Link in Design Systems
Avatar for Michelle Chin soysaucechin
0
980
Bioeconomy Workshop: Dr. Julius Ecuru, Opportunities for a Bioeconomy in West Africa
Avatar for AKADEMIYA2063 akademiya2063
PRO
1
150
More Than Pixels: Becoming A User Experience Designer
Avatar for Michelle Schulp Hunt marktimemedia
3
440
Hiding What from Whom? A Critical Review of the History of Programming languages for Music
Avatar for Tomoya Matsuura tomoyanonymous
2
870
16th Malabo Montpellier Forum Presentation
Avatar for AKADEMIYA2063 akademiya2063
PRO
0
150

Transcript

  1. OVERVIEW OF BIOMETRIC AUTH MICHAEL BAILEY PRINCIPAL ENGINEER AT AMERICAN

    EXPRESS @YOGURTEARL

  2. https://americanexpress.io/android-jobs

  3. NOT SECURITY ADVICE Information in this talk should not be

    taken as security advice.The security needs of every application are different. Consult an InfoSec professional when designing and implementing security for your application.

  4. BIOMETRIC AUTH

  5. “LEGACY” FINGERPRINT MANAGER APIS - API 23+ package android.hardware.fingerprint; public

    class FingerprintManager { public boolean isHardwareDetected() public boolean hasEnrolledFingerprints() public void authenticate(@Nullable CryptoObject crypto, @Nullable CancellationSignal cancel, int flags, @NonNull AuthenticationCallback callback, Handler handler) }

  6. “LEGACY” FINGERPRINT MANAGER APIS - API 23+ <manifest xmlns:android="http:!"schemas.android.com/apk/res/android"> <uses-permission

    android:name="android.permission.USE_FINGERPRINT"#$ %&manifest>

  7. “LEGACY” FINGERPRINT MANAGER APIS - API 23+ val fp: FingerprintManager

    = requireContext() .getSystemService(FingerprintManager'(class.java)

  8. “LEGACY” FINGERPRINT MANAGER APIS - API 23+ if (Build.VERSION.SDK_INT )*

    23) { val fp: FingerprintManager = requireContext() .getSystemService(FingerprintManager'(class.java) … }

  9. “LEGACY” FINGERPRINT MANAGER APIS - API 23+ package android.hardware.fingerprint; public

    class FingerprintManager { public boolean isHardwareDetected() public boolean hasEnrolledFingerprints() public void authenticate(@Nullable CryptoObject crypto, @Nullable CancellationSignal cancel, int flags, @NonNull AuthenticationCallback callback, Handler handler) } public boolean isHardwareDetected()

  10. “LEGACY” FINGERPRINT MANAGER APIS - API 23+ if (Build.VERSION.SDK_INT )*

    23) { val fp: FingerprintManager = requireContext() .getSystemService(FingerprintManager'(class.java) if (fp.isHardwareDetected) { !" Some low end devices don’t have fingerprint sensor !" or sensor can’t be used to unlock keys } } if (fp.isHardwareDetected) { !" Some low end devices don’t have fingerprint sensor !" or sensor can’t be used to unlock keys

  11. “LEGACY” FINGERPRINT MANAGER APIS - API 23+ context.getPackageManager().hasSystemFeature(FEATURE_FINGERPRINT)

  12. “LEGACY” FINGERPRINT MANAGER APIS - API 23+ package android.hardware.fingerprint; public

    class FingerprintManager { public boolean isHardwareDetected() public boolean hasEnrolledFingerprints() public void authenticate(@Nullable CryptoObject crypto, @Nullable CancellationSignal cancel, int flags, @NonNull AuthenticationCallback callback, Handler handler) } public boolean hasEnrolledFingerprints()

  13. “LEGACY” FINGERPRINT MANAGER APIS - API 23+ if (Build.VERSION.SDK_INT )*

    23) { val fp: FingerprintManager = requireContext() .getSystemService(FingerprintManager'(class.java) if (fp.isHardwareDetected) { if (fp.hasEnrolledFingerprints()){ fp.authenticate(+,-) } else { !" tell user to go setup fingerprints in OS settings } } } if (fp.hasEnrolledFingerprints()){

  14. “LEGACY” FINGERPRINT MANAGER APIS - API 23+ Caused by: java.lang.SecurityException:

    Permission Denial: getCurrentUser() from pid=12045, uid=10028 r android.permission.INTERACT_ACROSS_USERS at android.os.Parcel.readException(Parcel.java:1620) at android.os.Parcel.readException(Parcel.java:1573) at android.hardware.fingerprint. IFingerprintService$Stub$Proxy.hasEnrolledFingerprints(IFingerpr at android.hardware.fingerprint. FingerprintManager.hasEnrolledFingerprints(FingerprintManager.ja java.lang.SecurityException: FingerprintManager.hasEnrolledFingerprints

  15. “LEGACY” FINGERPRINT MANAGER APIS - API 23+ if (Build.VERSION.SDK_INT )*

    23) { val fp: FingerprintManager = requireContext() .getSystemService(FingerprintManager'(class.java) if (fp.isHardwareDetected) { if (fp.hasEnrolledFingerprints()){ +,- } else { !" tell user to go setup fingerprints in OS settings } } } if (fp.hasEnrolledFingerprints()){ !" tell user to go setup fingerprints in OS settings

  16. “LEGACY” FINGERPRINT MANAGER APIS - API 23+ package android.hardware.fingerprint; public

    class FingerprintManager { public boolean isHardwareDetected() public boolean hasEnrolledFingerprints() public void authenticate(@Nullable CryptoObject crypto, @Nullable CancellationSignal cancel, int flags, @NonNull AuthenticationCallback callback, Handler handler) } public void authenticate(@Nullable CryptoObject crypto, @Nullable CancellationSignal cancel, int flags, @NonNull AuthenticationCallback callback, Handler handler)

  17. if (Build.VERSION.SDK_INT )* 23) { val fp: FingerprintManager = requireContext()

    .getSystemService(FingerprintManager'(class.java) if (fp.isHardwareDetected) { if (fp.hasEnrolledFingerprints()){ fp.authenticate(+,-) } else { !" tell user to go setup fingerprints in OS settings } } } fp.authenticate(+,-) “LEGACY” FINGERPRINT MANAGER APIS - API 23+

  18. “LEGACY” FINGERPRINT MANAGER APIS - API 23+ package android.hardware.fingerprint; public

    class FingerprintManager { public boolean isHardwareDetected() public boolean hasEnrolledFingerprints() public void authenticate(@Nullable CryptoObject crypto, @Nullable CancellationSignal cancel, int flags, @NonNull AuthenticationCallback callback, Handler handler) } public void authenticate(@Nullable CryptoObject crypto, @Nullable CancellationSignal cancel, int flags, @NonNull AuthenticationCallback callback, Handler handler)

  19. FingerprintDialogKotlin https://github.com/android/security-samples/tree/master/FingerprintDialogKotlin

  20. FingerprintDialogKotlin

  21. android.os.CancellationSignal package android.hardware.fingerprint; public class FingerprintManager { public boolean isHardwareDetected()

    public boolean hasEnrolledFingerprints() public void authenticate(@Nullable CryptoObject crypto, @Nullable CancellationSignal cancel, int flags, @NonNull AuthenticationCallback callback, Handler handler) } @Nullable CancellationSignal cancel,

  22. android.os.CancellationSignal val cancel = CancellationSignal() fp.authenticate(+,-, cancel,+,-) cancelButton.setOnClickListener { cancel.cancel()

    }

  23. FingerprintManager.authenticate() package android.hardware.fingerprint; public class FingerprintManager { public boolean isHardwareDetected()

    public boolean hasEnrolledFingerprints() public void authenticate(@Nullable CryptoObject crypto, @Nullable CancellationSignal cancel, int flags, @NonNull AuthenticationCallback callback, Handler handler) } int flags,

  24. FingerprintManager.authenticate() package android.hardware.fingerprint; public class FingerprintManager { public boolean isHardwareDetected()

    public boolean hasEnrolledFingerprints() public void authenticate(@Nullable CryptoObject crypto, @Nullable CancellationSignal cancel, int flags, @NonNull AuthenticationCallback callback, Handler handler) } Handler handler

  25. CryptoObject package android.hardware.fingerprint; public class FingerprintManager { public boolean isHardwareDetected()

    public boolean hasEnrolledFingerprints() public void authenticate(@Nullable CryptoObject crypto, @Nullable CancellationSignal cancel, int flags, @NonNull AuthenticationCallback callback, Handler handler) } @Nullable CryptoObject crypto

  26. CryptoObject package android.hardware.fingerprint; public class FingerprintManager { public static final

    class CryptoObject { public CryptoObject(@NonNull Signature signature) {…} public CryptoObject(@NonNull Cipher cipher) {…} public CryptoObject(@NonNull Mac mac) {…} public Signature getSignature() {…} public Cipher getCipher() {…} public Mac getMac() {…} } } public static final class CryptoObject { public CryptoObject(@NonNull Signature signature) {…} public CryptoObject(@NonNull Cipher cipher) {…} public CryptoObject(@NonNull Mac mac) {…} public java.security.Signature getSignature() {…} public javax.crypto.Cipher getCipher() {…} public javax.crypto.Mac getMac() {…} }

  27. FingerprintManager.authenticate() package android.hardware.fingerprint; public class FingerprintManager { public boolean isHardwareDetected()

    public boolean hasEnrolledFingerprints() public void authenticate(@Nullable CryptoObject crypto, @Nullable CancellationSignal cancel, int flags, @NonNull AuthenticationCallback callback, Handler handler) } @NonNull AuthenticationCallback callback

  28. FingerprintManager.authenticate() package android.hardware.fingerprint; public class FingerprintManager { public static abstract

    class AuthenticationCallback { public void onAuthenticationError(int errorCode, CharSequence errString) public void onAuthenticationHelp(int helpCode, CharSequence helpString) public void onAuthenticationFailed() public void onAuthenticationSucceeded(AuthenticationResult result) } } AuthenticationCallback onAuthenticationError

  29. FingerprintManager.authenticate() package android.hardware.fingerprint; public class FingerprintManager { public static abstract

    class AuthenticationCallback { public void onAuthenticationError(int errorCode, CharSequence errString) public void onAuthenticationHelp(int helpCode, CharSequence helpString) public void onAuthenticationFailed() public void onAuthenticationSucceeded(AuthenticationResult result) } } AuthenticationCallback onAuthenticationHelp

  30. FingerprintManager.authenticate() package android.hardware.fingerprint; public class FingerprintManager { public static abstract

    class AuthenticationCallback { public void onAuthenticationError(int errorCode, CharSequence errString) public void onAuthenticationHelp(int helpCode, CharSequence helpString) public void onAuthenticationFailed() public void onAuthenticationSucceeded(AuthenticationResult result) } } AuthenticationCallback onAuthenticationFailed

  31. FingerprintManager.authenticate() package android.hardware.fingerprint; public class FingerprintManager { public static abstract

    class AuthenticationCallback { public void onAuthenticationError(int errorCode, CharSequence errString) public void onAuthenticationHelp(int helpCode, CharSequence helpString) public void onAuthenticationFailed() public void onAuthenticationSucceeded(AuthenticationResult result) } } AuthenticationCallback onAuthenticationSucceeded(AuthenticationResult result)

  32. FingerprintManager.authenticate() package android.hardware.fingerprint; public class FingerprintManager { public static class

    AuthenticationResult { public CryptoObject getCryptoObject() } } public static class AuthenticationResult { public CryptoObject getCryptoObject() }

  33. CryptoObject package android.hardware.fingerprint; public class FingerprintManager { public static final

    class CryptoObject { public CryptoObject(@NonNull Signature signature) {…} public CryptoObject(@NonNull Cipher cipher) {…} public CryptoObject(@NonNull Mac mac) {…} public Signature getSignature() {…} public Cipher getCipher() {…} public Mac getMac() {…} } } public static final class CryptoObject { public CryptoObject(@NonNull Signature signature) {…} public CryptoObject(@NonNull Cipher cipher) {…} public CryptoObject(@NonNull Mac mac) {…} public java.security.Signature getSignature() {…} public javax.crypto.Cipher getCipher() {…} public javax.crypto.Mac getMac() {…} }

  34. AndroidX FingerprintManagerCompat package androidx.core.hardware.fingerprint; public class FingerprintManagerCompat { … }

    implementation "androidx.core:core:$androidx_core_version"

  35. AndroidX FingerprintManagerCompat package androidx.core.hardware.fingerprint; public class FingerprintManagerCompat { … }

    DEPRECATED implementation "androidx.core:core:$androidx_core_version"

  36. BIOMETRIC PROMPT APIS - API 28+ package android.hardware.biometrics; public class

    BiometricPrompt { public static class Builder { public Builder(Context) public Builder setTitle(CharSequence) public Builder setSubtitle(CharSequence) public Builder setDescription(CharSequence) public Builder setNegativeButton(CharSequence) public Builder setConfirmationRequired(boolean) !" API 29 public Builder setDeviceCredentialAllowed(boolean) !" API 29 public BiometricPrompt build() } public void authenticate(@NonNull CryptoObject crypto, @NonNull CancellationSignal cancel, @NonNull Executor executor, @NonNull AuthenticationCallback callback) }

  37. BIOMETRIC PROMPT APIS - API 28+ package android.hardware.biometrics; public class

    BiometricPrompt { public static class Builder { public Builder(Context) public Builder setTitle(CharSequence) public Builder setSubtitle(CharSequence) public Builder setDescription(CharSequence) public Builder setNegativeButton(CharSequence) public Builder setConfirmationRequired(boolean) public Builder setDeviceCredentialAllowed(boolean) public BiometricPrompt build() } public void authenticate(@NonNull CryptoObject crypto, @NonNull CancellationSignal cancel, @NonNull Executor executor, @NonNull AuthenticationCallback callback) } public BiometricPrompt build()

  38. BIOMETRIC PROMPT APIS - API 28+ package android.hardware.biometrics; public class

    BiometricPrompt { public static class Builder { public Builder(Context) public Builder setTitle(CharSequence) public Builder setSubtitle(CharSequence) public Builder setDescription(CharSequence) public Builder setNegativeButton(CharSequence) public Builder setConfirmationRequired(boolean) public Builder setDeviceCredentialAllowed(boolean) public BiometricPrompt build() } public void authenticate(@NonNull CryptoObject crypto, @NonNull CancellationSignal cancel, @NonNull Executor executor, @NonNull AuthenticationCallback callback) } @NonNull Executor executor, authenticate(

  39. BIOMETRIC PROMPT APIS - API 28+ package android.hardware.biometrics; public class

    BiometricPrompt { public static class Builder { public Builder(Context) public Builder setTitle(CharSequence) public Builder setSubtitle(CharSequence) public Builder setDescription(CharSequence) public Builder setNegativeButton(CharSequence) public Builder setConfirmationRequired(boolean) public Builder setDeviceCredentialAllowed(boolean) public BiometricPrompt build() } public void authenticate(@NonNull CryptoObject crypto, @NonNull CancellationSignal cancel, @NonNull Executor executor, @NonNull AuthenticationCallback callback) } authenticate(

  40. BIOMETRIC PROMPT APIS - API 28+ package android.hardware.biometrics; public class

    BiometricPrompt { public static class Builder { public Builder(Context) public Builder setTitle(CharSequence) public Builder setSubtitle(CharSequence) public Builder setDescription(CharSequence) public Builder setNegativeButton(CharSequence) public Builder setConfirmationRequired(boolean) !" API 29+ public Builder setDeviceCredentialAllowed(boolean) !" API 29+ public BiometricPrompt build() } public void authenticate(@NonNull CryptoObject crypto, @NonNull CancellationSignal cancel, @NonNull Executor executor, @NonNull AuthenticationCallback callback) }

  41. BIOMETRIC PROMPT APIS - API 29+ package android.hardware.biometrics; public class

    BiometricManager { @IntDef({BIOMETRIC_SUCCESS, BIOMETRIC_ERROR_HW_UNAVAILABLE, BIOMETRIC_ERROR_NONE_ENROLLED, BIOMETRIC_ERROR_NO_HARDWARE}) @interface BiometricError {} public @BiometricError int canAuthenticate() }

  42. BIOMETRIC PROMPT APIS if (VERSION.SDK_INT )* VERSION_CODES.Q) { val biometricManager

    = this.getSystemService(BiometricManager'(class.java) when (biometricManager.canAuthenticate()) { !" Suppress biometric UI BIOMETRIC_ERROR_NO_HARDWARE, BIOMETRIC_ERROR_HW_UNAVAILABLE ./ suppressBiometrics() !" ask user to Enroll BIOMETRIC_ERROR_NONE_ENROLLED ./ startActivity(Intent(ACTION_FINGERPRINT_ENROLL)) !" Use biometrics BIOMETRIC_SUCCESS ./ { val biometricPrompt = BiometricPrompt.Builder(this) .setTitle("Login") .build() biometricPrompt.authenticate(+,-) } } }

  43. CHALLENGES • FingerprintManager • API 23+ • No UI provided

    • no Iris or Face Auth • BiometricPrompt • API 28+ • Provides a UI • BiometricManager.canAuthenticate() only API 29+

  44. androidx.biometric - API 14+ implementation "androidx.biometric:biometric:1.0.0-rc02"

  45. androidx.biometric - API 14+ val biometricManager = BiometricManager.from(context) when (biometricManager.canAuthenticate())

    { !" Suppress biometric UI BIOMETRIC_ERROR_NO_HARDWARE, BIOMETRIC_ERROR_HW_UNAVAILABLE ./ suppressBiometrics() !" ask user to Enroll BIOMETRIC_ERROR_NONE_ENROLLED ./ startActivity(Intent(ACTION_FINGERPRINT_ENROLL)) !" Use biometrics BIOMETRIC_SUCCESS ./ { val promptInfo = BiometricPrompt.PromptInfo.Builder() .setTitle("Login") .build() val biometricPrompt = BiometricPrompt(fragmentActivity, executor, authenticationCallback) biometricPrompt.authenticate(promptInfo, cryptoObject) } } BiometricManager.from(context)

  46. androidx.biometric - API 14+ val biometricManager = BiometricManager.from(context) when (biometricManager.canAuthenticate())

    { !" Suppress biometric UI BIOMETRIC_ERROR_NO_HARDWARE, BIOMETRIC_ERROR_HW_UNAVAILABLE ./ suppressBiometrics() !" ask user to Enroll BIOMETRIC_ERROR_NONE_ENROLLED ./ startActivity(Intent(ACTION_FINGERPRINT_ENROLL)) !" Use biometrics BIOMETRIC_SUCCESS ./ { val promptInfo = BiometricPrompt.PromptInfo.Builder() .setTitle("Login") .build() val biometricPrompt = BiometricPrompt(fragmentActivity, executor, authenticationCallback) biometricPrompt.authenticate(promptInfo, cryptoObject) } } biometricManager.canAuthenticate()

  47. androidx.biometric - API 14+ val biometricManager = BiometricManager.from(context) when (biometricManager.canAuthenticate())

    { !" Suppress biometric UI BIOMETRIC_ERROR_NO_HARDWARE, BIOMETRIC_ERROR_HW_UNAVAILABLE ./ suppressBiometrics() !" ask user to Enroll BIOMETRIC_ERROR_NONE_ENROLLED ./ startActivity(Intent(ACTION_FINGERPRINT_ENROLL)) !" Use biometrics BIOMETRIC_SUCCESS ./ { val promptInfo = BiometricPrompt.PromptInfo.Builder() .setTitle("Login") .build() val biometricPrompt = BiometricPrompt(fragmentActivity, executor, authenticationCallback) biometricPrompt.authenticate(promptInfo, cryptoObject) } } BiometricPrompt.PromptInfo.Builder()

  48. androidx.biometric - API 14+ val biometricManager = BiometricManager.from(context) when (biometricManager.canAuthenticate())

    { !" Suppress biometric UI BIOMETRIC_ERROR_NO_HARDWARE, BIOMETRIC_ERROR_HW_UNAVAILABLE ./ suppressBiometrics() !" ask user to Enroll BIOMETRIC_ERROR_NONE_ENROLLED ./ startActivity(Intent(ACTION_FINGERPRINT_ENROLL)) !" Use biometrics BIOMETRIC_SUCCESS ./ { val promptInfo = BiometricPrompt.PromptInfo.Builder() .setTitle("Login") .build() val biometricPrompt = BiometricPrompt(fragmentActivity, executor, authenticationCallback) biometricPrompt.authenticate(promptInfo, cryptoObject) } } BiometricPrompt(fragmentActivity,

  49. androidx.biometric - API 14+ val biometricManager = BiometricManager.from(context) when (biometricManager.canAuthenticate())

    { !" Suppress biometric UI BIOMETRIC_ERROR_NO_HARDWARE, BIOMETRIC_ERROR_HW_UNAVAILABLE ./ suppressBiometrics() !" ask user to Enroll BIOMETRIC_ERROR_NONE_ENROLLED ./ startActivity(Intent(ACTION_FINGERPRINT_ENROLL)) !" Use biometrics BIOMETRIC_SUCCESS ./ { val promptInfo = BiometricPrompt.PromptInfo.Builder() .setTitle("Login") .build() val biometricPrompt = BiometricPrompt(fragmentActivity, executor, authenticationCallback) biometricPrompt.authenticate(promptInfo, cryptoObject) } } biometricPrompt.authenticate(

  50. API 23 API 29

  51. None

  52. API 28 API 28 API 28

  53. hasSystemFeature() !" API 24 context.getPackageManager().hasSystemFeature(FEATURE_FINGERPRINT) !" API 29 context.getPackageManager().hasSystemFeature(FEATURE_IRIS) !"

    API 29 context.getPackageManager().hasSystemFeature(FEATURE_FACE)

  54. CryptoObject package android.hardware.fingerprint; public class FingerprintManager { public static final

    class CryptoObject { public CryptoObject(@NonNull Signature signature) {…} public CryptoObject(@NonNull Cipher cipher) {…} public CryptoObject(@NonNull Mac mac) {…} public Signature getSignature() {…} public Cipher getCipher() {…} public Mac getMac() {…} } } public static final class CryptoObject { public CryptoObject(@NonNull Signature signature) {…} public CryptoObject(@NonNull Cipher cipher) {…} public CryptoObject(@NonNull Mac mac) {…} public java.security.Signature getSignature() {…} public javax.crypto.Cipher getCipher() {…} public javax.crypto.Mac getMac() {…} }

  55. KeyGenParameterSpec val keyGenerator = KeyGenerator.getInstance(KEY_ALGORITHM_AES, "AndroidKeyStore") keyGenerator.init( Builder("BiometricKey", KeyProperties.PURPOSE_ENCRYPT or

    KeyProperties.PURPOSE_DECRYPT) .setBlockModes(KeyProperties.BLOCK_MODE_GCM) .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_NONE) .setUserAuthenticationRequired(true) .setInvalidatedByBiometricEnrollment(true) !" API 24+ .build()) keyGenerator.generateKey()

  56. KeyGenParameterSpec val keyGenerator = KeyGenerator.getInstance(KEY_ALGORITHM_AES, "AndroidKeyStore") keyGenerator.init( Builder("BiometricKey", KeyProperties.PURPOSE_ENCRYPT or

    KeyProperties.PURPOSE_DECRYPT) .setBlockModes(KeyProperties.BLOCK_MODE_GCM) .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_NONE) .setUserAuthenticationRequired(true) .setInvalidatedByBiometricEnrollment(true) !" API 24+ .build()) keyGenerator.generateKey() "AndroidKeyStore"

  57. KeyGenParameterSpec val keyGenerator = KeyGenerator.getInstance(KEY_ALGORITHM_AES, "AndroidKeyStore") keyGenerator.init( Builder("BiometricKey", KeyProperties.PURPOSE_ENCRYPT or

    KeyProperties.PURPOSE_DECRYPT) .setBlockModes(KeyProperties.BLOCK_MODE_GCM) .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_NONE) .setUserAuthenticationRequired(true) .setInvalidatedByBiometricEnrollment(true) !" API 24+ .build()) keyGenerator.generateKey() "BiometricKey"

  58. KeyGenParameterSpec val keyGenerator = KeyGenerator.getInstance(KEY_ALGORITHM_AES, "AndroidKeyStore") keyGenerator.init( Builder("BiometricKey", KeyProperties.PURPOSE_ENCRYPT or

    KeyProperties.PURPOSE_DECRYPT) .setBlockModes(KeyProperties.BLOCK_MODE_GCM) .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_NONE) .setUserAuthenticationRequired(true) .setInvalidatedByBiometricEnrollment(true) !" API 24+ .build()) keyGenerator.generateKey() .setUserAuthenticationRequired(true)

  59. KeyGenParameterSpec val keyGenerator = KeyGenerator.getInstance(KEY_ALGORITHM_AES, "AndroidKeyStore") keyGenerator.init( Builder("BiometricKey", KeyProperties.PURPOSE_ENCRYPT or

    KeyProperties.PURPOSE_DECRYPT) .setBlockModes(KeyProperties.BLOCK_MODE_GCM) .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_NONE) .setUserAuthenticationRequired(true) .setInvalidatedByBiometricEnrollment(true) !" API 24+ .build()) keyGenerator.generateKey() .setInvalidatedByBiometricEnrollment(true)

  60. KeyGenParameterSpec val keyGenerator = KeyGenerator.getInstance(KEY_ALGORITHM_AES, "AndroidKeyStore") keyGenerator.init( Builder("BiometricKey", KeyProperties.PURPOSE_ENCRYPT or

    KeyProperties.PURPOSE_DECRYPT) .setBlockModes(KeyProperties.BLOCK_MODE_GCM) .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_NONE) .setUserAuthenticationRequired(true) .setInvalidatedByBiometricEnrollment(true) !" API 24+ .build()) keyGenerator.generateKey() .generateKey()

  61. KeyGenParameterSpec val keyGenerator = KeyGenerator.getInstance(KEY_ALGORITHM_AES, "AndroidKeyStore") keyGenerator.init( Builder("BiometricKey", KeyProperties.PURPOSE_ENCRYPT or

    KeyProperties.PURPOSE_DECRYPT) .setBlockModes(KeyProperties.BLOCK_MODE_GCM) .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_NONE) .setUserAuthenticationRequired(true) .setInvalidatedByBiometricEnrollment(true) !" API 24+ .build()) keyGenerator.generateKey() .generateKey()

  62. CryptoObject val keyStore: KeyStore = KeyStore.getInstance("AndroidKeyStore") keyStore.load(null) 
 val key

    = keyStore.getKey("BiometricKey", null) as SecretKey val cipher: Cipher = Cipher.getInstance("AES/GCM/NoPadding") cipher.init(Cipher.DECRYPT_MODE, key) 
 val cryptoObject = BiometricPrompt.CryptoObject(cipher) "AndroidKeyStore"

  63. CryptoObject val keyStore: KeyStore = KeyStore.getInstance("AndroidKeyStore") keyStore.load(null) 
 val key

    = keyStore.getKey("BiometricKey", null) as SecretKey val cipher: Cipher = Cipher.getInstance("AES/GCM/NoPadding") cipher.init(Cipher.DECRYPT_MODE, key) 
 val cryptoObject = BiometricPrompt.CryptoObject(cipher) "BiometricKey"

  64. CryptoObject val keyStore: KeyStore = KeyStore.getInstance("AndroidKeyStore") keyStore.load(null) 
 val key

    = keyStore.getKey("BiometricKey", null) as SecretKey val cipher: Cipher = Cipher.getInstance("AES/GCM/NoPadding") cipher.init(Cipher.DECRYPT_MODE, key) 
 val cryptoObject = BiometricPrompt.CryptoObject(cipher) key key cipher cipher cryptoObject

  65. Key Attestation https://developer.android.com/training/articles/security-key-attestation 1. Key Storage: Software, TrustedEnvironment, StrongBox 2.

    User Authentication Type

  66. FILE BUGS! https://issuetracker.google.com/issues/new?component=559537

  67. DOCS • Authenticating to remote servers using the Fingerprint API

    • https://android-developers.googleblog.com/2015/10/new-in-android-samples-authenticating.html • FingerprintManager Sample: • https://github.com/android/security-samples/tree/master/FingerprintDialogKotlin • Warning, always use CryptoObject, despite the example in this doc -> • https://developer.android.com/training/sign-in/biometric-auth • BiometricPrompt Sample: • https://android.googlesource.com/platform/frameworks/support/+/refs/ heads/androidx-master-dev/samples/BiometricDemos/

  68. BIOMETRIC AUTH IMPORTANT TAKE AWAYS • Use androidx.biometric • Always

    use CryptoObject • Consult with InfoSec Professionals

  69. THANKS https://americanexpress.io/android-jobs

  70. Code samples are 
 Copyright The Android Open Source Project

    And Licensed under the Apache License, Version 2.0