-Biometric authentication such as fingerprint recognition can be used alongside cryptographic keys stored in the Android KeyStore to protect sensitive parts of the application. However,
-when a key generated for this purpose has certain parameters set insecurely, it can allow an attacker with physical access to bypass the
-authentication check, using application hooking tools such as Frida.
+Biometric authentication, such as fingerprint recognition, can be used alongside cryptographic keys stored in the Android KeyStore to protect sensitive parts of the application. However,
+when a key generated for this purpose has certain parameters set insecurely, an attacker with physical access can bypass the
+authentication check using application hooking tools such as Frida.
KeyGenParameterSpec.Builder are set:
setUserAuthenticationRequired should be set to true; otherwise the key can be used without user authentication.setInvalidatedByBiometricEnrollment should be set to true (the default); otherwise an attacker can use the key by enrolling additional biometrics on the device.setUserAuthenticationValidityDurationSeconds, if used, should be set to -1; otherwise non-biometric (less secure) credentials can be used to access the key. setUserAuthenticationParameters is instead recommended to explicitly set both the timeout and the types of credentials that may be used.setUserAuthenticationRequired should be set to true; otherwise, the key can be used without user authentication.setInvalidatedByBiometricEnrollment should be set to true (the default); otherwise, an attacker can use the key by enrolling additional biometrics on the device.setUserAuthenticationValidityDurationSeconds, if used, should be set to -1; otherwise, non-biometric (less secure) credentials can be used to access the key. We recommend using setUserAuthenticationParameters instead to explicitly set both the timeout and the types of credentials that may be used.