-
-
Notifications
You must be signed in to change notification settings - Fork 519
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Android devices pass through biometric authentication even with passcode on unlock #518
Comments
Hi, I've come across the same behaviour when using RSA based storage. It seems that the reason (at least on the surface level) is the following line: Line 241 in 6cafc99
Is there any reason why the duration for user authentication validity is set strictly to 5? @oblador If you need, I can submit PR with my suggestion. |
Hi! Thanks again, this might be a life saver! br. Mikael |
.setUserAuthenticationValidityDurationSeconds(5) seems to deprecated in API 30, we ended up using the new method which takes two parameters: seconds and valid auth types. We replaced the line with this:
and now it doesn't just go through biometrics with the screen unlock unless you opened the device with biometrics. |
The above mentioned solution didn't really last... Is there no way to disallow screen unlock to apply to the app? It doesn't seem to limit the options to biometrics at all, you can wizz past getGeneric or getInternetCredentials with whatever opened the phone and thats just unwanted behaviour. Scouring android resources and trying tweaks here and there and patching the library, but nothing seems to help. Does anyone have any sort of solution? |
@Vilinyexc There is no reliable way to prevent Keystore unlock after user is authenticated by strong biometry or device credential. It is how the Keystore is implemented in Android. What we could do to sort of hack it is to add an arbitrary call to |
Sounds good to try, where would you implement it? We already change some parameters in the library so a bit more wouldn't be an issue. |
@Vilinyexc You basically need to use the code in this catch block https://github.com/oblador/react-native-keychain/blob/master/android/src/main/java/com/oblador/keychain/cipherStorage/CipherStorageKeystoreRsaEcb.java#L141. The change would be to run that code all the time, and not only in case of error. Make sure there is no infinite recursion though :) |
Thank you! will have to try it out :) |
I find a solution for this issue, we need to ask always permissions on RSA decrypt. |
Thank you @nicolas-meilan Can we merge this ? :D |
Hello!
So it seems that android devices pass through the authentication event from unlocking the phone. The issue right now is that we use biometrics to lock our app, but it doesn't seem to care wether we use fingerprint or device password to open the device, everything seems to just pass through and unlock our app as well. (provided the app is at least the first thing active when unlocking).
Is there any way to exert some control over this behaviour?
The text was updated successfully, but these errors were encountered: