Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Do not use this library in sensitive applications #272

Open
TheDauntless opened this issue Apr 24, 2020 · 2 comments
Open

Do not use this library in sensitive applications #272

TheDauntless opened this issue Apr 24, 2020 · 2 comments

Comments

@TheDauntless
Copy link

This library does not correctly implement fingerprint authentication. It simply verifies that a client can pass the challenge or not. As this is a client-side check, this can easily be bypassed by tampering with the application on a rooted / jailbroken device. The correct way to do it is to:

  • Create a key that is protected with the fingerprint using setUserAuthenticationRequired and then use this key to decrypt specific data (Android).
  • Create a Keychain item with the biometricAny flag and use the data of that Keychain item to continue the authentication flow (iOS)

Using this library will automatically have your application store data insecurely, as it will be stored somewhere in the application sandbox without proper encryption. This means it will be possible to extract this data from a stolen device, or it might even make it into Android / iTunes backups.

Fingerprints are backed by a hardware element that provides cryptographic operations to securely use it. When you don't use the cryptographic operations, the protection is only a fraction of what it could/should be.

See MSTG - Local authentication for more info.
@SaeedZhiany
Copy link
Contributor

@TheDauntless
Thanks for your information. it seems you have more specific knowledge about fingerprint authentication.

I have a question and a request:

  1. is there a similar problem with iOS implementation?
  2. The library maintainers suggest to using LocalAuthentication due to lack of actively maintaining. can you please check if a similar problem exists in that library too? here is LocalAuthentication Github repositoy

Thanks

@Alhyoss
Copy link

Alhyoss commented Apr 30, 2020

Hi @SaeedZhiany ,

  1. The issue applies to both the Android and iOS implementation. For more information about iOS secure biometric authentication, see MSTG - iOS Local Authentication.
  2. The LocalAuthentication library also appears to suffer from this issue, as well as the following libraries: react-native-fingerprint-scanner, react-native-fingerprint-android.

react-native-biometrics would be one that does provide support for secure fingerprint authentication, using the createSignature() method.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@TheDauntless @Alhyoss @SaeedZhiany