BiometricPrompt.AuthenticationCallback tied to activity lifecycle and leak fragments when following example code. [167014923]

Fixed

Bug

Status Update

No update yet.

Description

py...@gmail.com

created issue #1

Aug 30, 2020 02:05PM

Biometric library version: 1.1.0-alpha01

This bug was reported in Mozilla Fenix, but it's actually a leak in BiometricViewModel.

Mozilla Fenix bug report: https://github.com/mozilla-mobile/fenix/issues/13477

To reproduce, follow the official Android X sample code and add the sample code to a fragment. Display the login prompt, get the fragment destroyed, the fragment is now leaking

As soon as the fragment is destroyed, the leak triggers as the fragment cannot be garbage collected because the AuthenticationCallback implementation is retained.

┬───
│ GC Root: Global variable in native code
│
├─ dalvik.system.PathClassLoader instance
│ Leaking: NO (InternalLeakCanary↓ is not leaking and A ClassLoader is never leaking)
│ ↓ PathClassLoader.runtimeInternalObjects
├─ java.lang.Object[] array
│ Leaking: NO (InternalLeakCanary↓ is not leaking)
│ ↓ Object[].[891]
├─ leakcanary.internal.InternalLeakCanary class
│ Leaking: NO (HomeActivity↓ is not leaking and a class is never leaking)
│ ↓ static InternalLeakCanary.resumedActivity
├─ org.mozilla.fenix.HomeActivity instance
│ Leaking: NO (Activity#mDestroyed is false)
│ ↓ HomeActivity.mViewModelStore
│                ~~~~~~~~~~~~~~~
├─ androidx.lifecycle.ViewModelStore instance
│ Leaking: UNKNOWN
│ ↓ ViewModelStore.mMap
│                  ~~~~
├─ java.util.HashMap instance
│ Leaking: UNKNOWN
│ ↓ HashMap.table
│           ~~~~~
├─ java.util.HashMap$Node[] array
│ Leaking: UNKNOWN
│ ↓ HashMap$Node[].[2]
│                  ~~~
├─ java.util.HashMap$Node instance
│ Leaking: UNKNOWN
│ ↓ HashMap$Node.value
│                ~~~~~
├─ androidx.biometric.BiometricViewModel instance
│ Leaking: UNKNOWN
│ ↓ BiometricViewModel.mClientCallback
│                      ~~~~~~~~~~~~~~~
├─ org.mozilla.fenix.settings.logins.fragment.SavedLoginsAuthFragment$biometricPromptCallback$1 instance
│ Leaking: UNKNOWN
│ Anonymous subclass of androidx.biometric.BiometricPrompt$AuthenticationCallback
│ ↓ SavedLoginsAuthFragment$biometricPromptCallback$1.this$0
│                                                     ~~~~~~
╰→ org.mozilla.fenix.settings.logins.fragment.SavedLoginsAuthFragment instance
 Leaking: YES (ObjectWatcher was watching this because org.mozilla.fenix.settings.logins.fragment.SavedLoginsAuthFragment received Fragment#onDestroy() callback and Fragment#mFragmentManager is null)
 key = 77a534a9-73fb-4b7e-9bb1-1c26e0064ca8
 watchDurationMillis = 9964
 retainedDurationMillis = 4964

Looking at the Android X BiometricPrompt sources, the callback is set in BiometricPrompt.init() which is called from the BiometricPrompt constructor and never unset.

    private void init(
            @Nullable FragmentActivity activity,
            @Nullable FragmentManager fragmentManager,
            @Nullable Executor executor,
            @NonNull AuthenticationCallback callback) {

        mClientFragmentManager = fragmentManager;

        if (activity != null) {
            final BiometricViewModel viewModel =
                    new ViewModelProvider(activity).get(BiometricViewModel.class);
            if (executor != null) {
                viewModel.setClientExecutor(executor);
            }
            viewModel.setClientCallback(callback);
        }
    }

So, as it stands, there is no way to clear the callback, and BiometricViewModel is always created with an activity lifecycle, so the callback always has the lifecycle of the activity. This means that currently the library will leak any fragment it's used from.

Comments

py...@gmail.com <py...@gmail.com> #2Aug 31, 2020 09:14AM

This happens to me when using pattern+fingerprint on api 29 using 1.0.1

rb...@unwire.com <rb...@unwire.com> #3Oct 14, 2020 11:24AM

happens to me on Android P using 1.0.1

ca...@gmail.com <ca...@gmail.com> #4Nov 4, 2020 09:48PM

Is there any workaround for this? Can we expect this to be fixed?

cu...@google.com <cu...@google.com> Jan 15, 2021 09:49PM

Accepted by cu...@google.com.

ap...@google.com <ap...@google.com> #5Jan 21, 2021 01:18AM

I am facing the same problem too! Is there any solution to this problem?

cu...@google.com <cu...@google.com> Jan 21, 2021 02:21AM

Marked as fixed.

di...@gmail.com <di...@gmail.com> #6Feb 9, 2021 06:08PM

Still seeing this issue on Android 10 Pixel 4.

ja...@sharesies.co.nz <ja...@sharesies.co.nz> #7Oct 6, 2022 01:04AM

Our team is facing this issue as well. What are the alternatives available right now apart from cloning the library and changing the behavior?

te...@gmail.com <te...@gmail.com> #8May 31, 2023 03:47PM

Biometric prompt is also not dismissed if user goes to different apps on API levels below 29. The same behavior is not true for API 29 and above. Is there any workaround for this?