Modern Security in Android (part 4)
A fast guide to be safe
This post is related to my lastest talk about “Modern Security for Android Developers”.
Here is the list of the blogs in this series:
- Part 1 — Encryption Vol 1
- Part 2 — Encryption Vol 2
- Part 3 — Encryption Vol 3
- Part 4 — Biometric as Local Auth
- Part 5 — Native Code Modules
- Part 6 — SSL, TLS, Secure Data layer
We finish the overview of the Encryption in Android and is time to speak about how biometrics works and how to use it to your advantage.
In Android 6.0 privacy became one of the priorities for the mobile teams, in this version, Google introduced a standardized API for providers, focusing on fingerprints adding a standard for them.
In the first volume of this serial, we speak about Trusted Execution Environments (TEE), these spaces are part of every modern smartphone, this means that the biometric information is encrypted and stored in a separate part of the phone, completely inaccessible to the regular operating system. Making the biometric data unexportable, we can ask the TEE to authenticate the identity of our users, but the biometric data is not accessible, or injectable, making the biometrics a local authentication form.
Phones have evolved and now Android includes face and fingerprint biometric authentication. Android can be customized to support other forms of biometric authentication, for example, iris. Inside the code, Android has a class to handle the biometric authentication called BiometricPrompt that includes Fingerprint and Face, Google has to validate that biometric implementation meets a couple of security specifications to join this class, principality it needs to have a secure architecture this means, that the biometric data should travel in a secure channel that guarantees that if the Kernel or the platform is compromised the raw biometric data will not be leaked and that data can not be injected in this secure channel, and secondly has to meet a metric called spoofability that is measured by three other metrics that are described at the Spoof Acceptance Rate Guide (SAR) to measure how resilient a biometric is against a professional attacker, includes:
- False Accept Rate (FAR): Mesures how often a model mistakenly accepts a randomly chosen incorrect input.
- Imposter Accept Rate (IAR): Measures the possibility that a biometric model accepts data that mimics the original data. Imagine an Imitator of an actor or a singer with a similar face or a similar voice.
- Spoof Accept Rate (SAR): Measures the possibility that a biometric model accepts a previously recorded data.
After these tests, a biometric implementation can fall out in one of these three categories:
- Strong: SAR(Spoof Accept Rate): 0–7% FAR (False accept rate): 1/50k FRR (False rejection rate): 10%
- Weak: SAR: 7–20% FAR: 1/50k FRR: 10%
- Convenience: SAR: >20% FAR: 1/50k FRR: 10%
That even contains the fallback (in hours) to the first-ever authentication, the probability of integration with BiometricPrompt class, and the possibility of using KeyStore. There’s a full document about the falling ratio in biometric sensors here, if you want me to go deeper on sensors and calibrations systems, please leave a message at the end of this post.
BiometricPromp in Action
On Android 9 the BiometricPrompt give the developers a new way to handle FingerPrintManager (this class is already deprecated) without the need to add a new UI, BiometricPrompt permits the users to understand simple UX/UI making it a seamless experience.
To start using the BiometricPrompt class you can implement this at your gradle file, is a pretty much straight forward implementation:
dependencies {
implementation "androidx.biometric:biometric:1.0.1"
}To add a biometric prompt builder you only have to create this builder
We need to add a new listener to the actions and results of the user, that will give you Success, Failure, and Error if the user fails multiple times to authenticate the Biometric prompt will block the user for a couple of minutes till can try again, this will happen in the Error callback
If you have any problems with the implementation there is a full blog post from Sam Edwards (Sam Edwards) in his blog: https://handstandsam.com/2020/05/07/unlocking-biometric-prompt-fingerprint-face-unlock/
Adding Biometric prompt to your encryption
In the second part of this serial, we talk about the possibility of creating your own KeyPairGenerator, even if you are not using Jetpack Security, you can add the line 7 in the next gist to make sure the users has any type of security:
You can use a secret key that allows you to use the biometric credentials for a specific validity time period, during this time period, your app can perform multiple cryptographic operations without the user needing to re-authenticate, you can do this too when you create your master key for Jetpack Security
This is all for this part of the post, If you need help:
I’m always happy to help, you can find me here:
Medium: https://medium.com/@dinorahto
StackOverflow: https://stackoverflow.com/users/4613259/dinorah-tovar
Happy Coding! 👩🏻💻
