Authenticators backport is broken on an API 29 Pixel 4 [170406186]

Fixed

Bug

Status Update

No update yet.

Description

ph...@monzo.com

created issue #1

Oct 9, 2020 09:43AM

On an API 29 Pixel 4 androidx.biometric.BiometricManager#canAuthenticate(Authenticators.BIOMETRIC_STRONG) returns BIOMETRIC_STATUS_UNKNOWN. I believe this is because the canAuthenticate(CryptoObject) method only works on Samsung devices - as far as I can tell it has never existed in AOSP.

Some possible solutions (there may well be reasons not to do these things):

Adding non-Samsung devices with strong face unlock to the assume_strong_biometrics_prefixes array, which is currently empty. Devices with fingerprint should be OK because they fall back to canAuthenticateWithFingerprintOrUnknown(), but I haven't actually tested this.
Attempt to create an auth-per-use key pair (setUserAuthenticationValidityDurationSeconds(-1)) in AndroidKeyStore, which fails with the following exception if the user doesn't have strong biometrics available & enrolled (I don't know if this is reliable across OEMs and API versions):

java.security.InvalidAlgorithmParameterException: java.lang.IllegalStateException: At least one biometric must be enrolled to create keys requiring user authentication for every use
        at android.security.keystore.AndroidKeyStoreKeyPairGeneratorSpi.initialize(AndroidKeyStoreKeyPairGeneratorSpi.java:349)
        at java.security.KeyPairGenerator$Delegate.initialize(KeyPairGenerator.java:697)
        at java.security.KeyPairGenerator.initialize(KeyPairGenerator.java:438)
        ...

BUILD INFO

Device type: Pixel 4
OS version: 10 (API 29)
Biometric library version: 1.1.0-beta01

STEPS TO REPRODUCE

Have API 29 Pixel 4 with face unlock turned on.
Call androidx.biometric.BiometricManager#canAuthenticate(Authenticators.BIOMETRIC_STRONG)

EXPECTED RESULTS

Receive BIOMETRIC_SUCCESS.

OBSERVED RESULTS

Receive BIOMETRIC_STATUS_UNKNOWN.

NUMBER OF TIMES YOU WERE ABLE TO REPRODUCE (e.g. 3/10)

10/10

Comments

ph...@monzo.com <ph...@monzo.com> #2Oct 9, 2020 04:01PM

Update: it's also broken (returns BIOMETRIC_STATUS_UNKNOWN) for devices with fingerprint on API 29, like the Pixel 2.

This is because the current implementation of the backport sets mFingerprintManager to null on API 29, and so canAuthenticateWithFingerprint() always returns BIOMETRIC_ERROR_HW_UNAVAILABLE. I'm not sure what the reason for this is - FingerprintManagerCompat is deprecated, but as far as I can tell it still works.

cu...@google.com <cu...@google.com> Oct 19, 2020 05:15PM

Reassigned to cu...@google.com.

cu...@google.com <cu...@google.com> Oct 21, 2020 12:25AM

Accepted by cu...@google.com.

ap...@google.com <ap...@google.com> #3Oct 21, 2020 08:33PM

Marked as fixed.

Project: platform/frameworks/support
Branch: androidx-master-dev

commit afe56749a61cac436316a087de9a9229f771ee94
Author: Curtis Belmonte <curtislb@google.com>
Date: Tue Oct 20 17:18:57 2020

Assume Class 3 biometrics for Pixel 4 on API <30

Adds the Pixel 4 and Pixel 4 XL to a list of devices assumed to have
Class 3 or stronger biometrics prior to API 30. This fixes an issue
where BiometricManager#canAuthenticate(BIOMETRIC_STRONG) would return
BIOMETRIC_STATUS_UNKNOWN for these devices on API 29.

Test: Biometric integration test app on Pixel 4 (XL) API 29-30
Test: ./gradlew biometric:biometric:test
Test: ./gradlew biometric:biometric:connectedAndroidTest
Test: ./gradlew biometric:integration-tests:testapp:connectedAndroidTest

Fixes: 170406186
Change-Id: I42ad1365519e858c4683e0c63c9e6fe94d6299f1

M biometric/biometric/src/androidTest/java/androidx/biometric/DeviceUtilsTest.java
M biometric/biometric/src/main/java/androidx/biometric/DeviceUtils.java
M biometric/biometric/src/main/res/values/devices.xml

https://android-review.googlesource.com/1468055

ph...@monzo.com <ph...@monzo.com> #4Oct 23, 2020 08:17AM

This will fix the problem for the Pixel 4 & Pixel 4 XL, but as per #2 it's also broken for non-Samsung fingerprint devices on API 29.

[Deleted User] <[Deleted User]> #5Dec 20, 2020 02:23PM

I can see this problem on Motorola One Vision, API 29 when using Biometric 1.1.0-rc01 (I believe that on 1.1.0-beta01 worked fine). Can we reopen this bug?

re...@infinum.com <re...@infinum.com> #6Jan 7, 2021 10:16AM

I can confirm that this issue happens on Huawei Mate 20 Pro (LYA-L29) and Xiaomi Mi 9T. Both devices run on Android 10 (API level 29).

re...@infinum.com <re...@infinum.com> #7Jan 7, 2021 10:18AM

Above scenario tested with biometric library version 1.1.0-rc01