Biometric authentication on Android should be tied to a cryptographic operation to prevent attackers from bypassing the authentication result.

Why is this an issue?

Android KeyStore allows defining keys that require biometric authentication before use. When BiometricPrompt.authenticate is called without a CryptoObject, the authentication result can be tampered with. An attacker with physical access to the device could hook into the application process and call onAuthenticationSucceeded directly, bypassing the biometric check entirely.

What is the potential impact?

Authentication bypass

If biometric authentication is not tied to a cryptographic operation, an attacker with physical access to the device can bypass the authentication. This could allow unauthorized access to sensitive data or critical operations that the biometric check was meant to protect.

How to fix it

Code examples

A CryptoObject should be passed to the authenticate method to bind the biometric authentication to a cryptographic operation.

Noncompliant code example

// ...
BiometricPrompt biometricPrompt = new BiometricPrompt(activity, executor, callback);
// ...
biometricPrompt.authenticate(promptInfo); // Noncompliant

Compliant solution

// ...
BiometricPrompt biometricPrompt = new BiometricPrompt(activity, executor, callback);
// ...
biometricPrompt.authenticate(promptInfo, new BiometricPrompt.CryptoObject(cipher));

Resources

Documentation

Standards