setInvalidatedByBiometricEnrollment does not throw exception with fingerprint added or removed

1.2k views Asked by At

I would like to remove credentials if any of current fingerprints are removed or new one is added after the app setup biometric.

Creating key like:

private Key getKey(String KEY_ALIAS) throws GeneralSecurityException, IOException {
  KeyStore.SecretKeyEntry secretKeyEntry = (KeyStore.SecretKeyEntry) getKeyStore().getEntry(KEY_ALIAS, null);
  if (secretKeyEntry != null) {
    return secretKeyEntry.getSecretKey();
  } else if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.M) {
    KeyGenerator generator = KeyGenerator.getInstance(KeyProperties.KEY_ALGORITHM_AES, ANDROID_KEY_STORE);
    generator.init(new KeyGenParameterSpec.Builder(
      KEY_ALIAS,
      KeyProperties.PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT)
      .setBlockModes(KeyProperties.BLOCK_MODE_GCM)
      .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_NONE)
      .setInvalidatedByBiometricEnrollment(true)
      .setRandomizedEncryptionRequired(false)
      .build()
    );
    return generator.generateKey();
  } else {
    return getAESKey(KEY_ALIAS);
  }
}

And decrypting like:

private String decryptString(String stringToDecrypt, String KEY_ALIAS) throws GeneralSecurityException, IOException {
  Log.d("biometric", "decryptString");

  byte[] encryptedData = Base64.decode(stringToDecrypt, Base64.DEFAULT);

  Cipher cipher;
  if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.M) {
    cipher = Cipher.getInstance(TRANSFORMATION);
    try {
      cipher.init(Cipher.DECRYPT_MODE, getKey(KEY_ALIAS), new GCMParameterSpec(128, FIXED_IV));
    } catch (InvalidKeyException e) {
      this.deleteCredentials();
      e.printStackTrace();
    }
  } else {
    cipher = Cipher.getInstance(AES_MODE, "BC");
    try {
      cipher.init(Cipher.DECRYPT_MODE, getKey(KEY_ALIAS));
    } catch (InvalidKeyException e) {
      this.deleteCredentials();
      e.printStackTrace();
    }
  }
  byte[] decryptedData = cipher.doFinal(encryptedData);
  return new String(decryptedData, "UTF-8");
}

but even wrapping cipher.init with try and catch block does not throw any exception. I am testing on Emulator SDK 30.

cipher.init(Cipher.DECRYPT_MODE, getKey(KEY_ALIAS), new GCMParameterSpec(128, FIXED_IV));

Reference: Key permanently invalidated Exception after adding/removing fingerprint

1

There are 1 answers

0
CaHa On

The flag setInvalidatedByBiometricEnrollment only applies to keys that require user authentication:

Sets whether this key should be invalidated on biometric enrollment. This applies only to keys which require user authentication (see setUserAuthenticationRequired(boolean)) and if no positive validity duration has been set (see setUserAuthenticationValidityDurationSeconds(int), meaning the key is valid for biometric authentication only.

Source: https://developer.android.com/reference/android/security/keystore/KeyGenParameterSpec.Builder#setInvalidatedByBiometricEnrollment(boolean)