Menu
I've tried to generate a key pair using the Google sample (BasicAndroidKeyStore). The only modification I made is setting the setUserAuthenticationRequired(true) in the KeyGenParameterSpec.Builder.
I assume it would work fine on a device with the embedded Fingerprint scanner, but running it on OnePlus One (working under Android 6.0), I get the following exception:
At least one fingerprint must be enrolled to create keys requiring user authentication for every use
The phone does have the lock screen set to use the pattern, but apparently it requires fingerprint for the authentication. Any idea how to use API 23 keystore without having the actual Fingerprint reader?
317
On modern Android devices, the fingerprint scanner is directly linked with the hardware security module.
As a result, there is now a meaningful way to provide isolated encryption that's protected - even on a rooted phone.
Check out these guidelines:
https://developer.android.com/training/articles/keystore#HardwareSecurityModule
An attacker would have to trick a user into swiping their fingerprint in order to unlock stuff... and that's only one decryption or signature per swipe.
This is "pretty good" security, but because of the API limitations and restrictions (notably the lack of ECDH!), most apps that claim to use Android's keychain system don't use the StrongBox. Even those that do won't warn the user when it's not available.
As a result, a jailbreak or zero day can compromise most app keys.
Please consider detecting enrollment, and warning your user that their data is more vulnerable on a device that does not have an enrolled hardware biometry device.
139
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
