Authenticators backport is broken on an API 29 Pixel 4 [170406186]

Fixed

Bug

Status Update

No update yet.

Description

ph...@monzo.com

created issue #1

Oct 9, 2020 09:43AM

On an API 29 Pixel 4 androidx.biometric.BiometricManager#canAuthenticate(Authenticators.BIOMETRIC_STRONG) returns BIOMETRIC_STATUS_UNKNOWN. I believe this is because the canAuthenticate(CryptoObject) method only works on Samsung devices - as far as I can tell it has never existed in AOSP.

Some possible solutions (there may well be reasons not to do these things):

Adding non-Samsung devices with strong face unlock to the assume_strong_biometrics_prefixes array, which is currently empty. Devices with fingerprint should be OK because they fall back to canAuthenticateWithFingerprintOrUnknown(), but I haven't actually tested this.
Attempt to create an auth-per-use key pair (setUserAuthenticationValidityDurationSeconds(-1)) in AndroidKeyStore, which fails with the following exception if the user doesn't have strong biometrics available & enrolled (I don't know if this is reliable across OEMs and API versions):

java.security.InvalidAlgorithmParameterException: java.lang.IllegalStateException: At least one biometric must be enrolled to create keys requiring user authentication for every use
        at android.security.keystore.AndroidKeyStoreKeyPairGeneratorSpi.initialize(AndroidKeyStoreKeyPairGeneratorSpi.java:349)
        at java.security.KeyPairGenerator$Delegate.initialize(KeyPairGenerator.java:697)
        at java.security.KeyPairGenerator.initialize(KeyPairGenerator.java:438)
        ...

BUILD INFO

Device type: Pixel 4
OS version: 10 (API 29)
Biometric library version: 1.1.0-beta01

STEPS TO REPRODUCE

Have API 29 Pixel 4 with face unlock turned on.
Call androidx.biometric.BiometricManager#canAuthenticate(Authenticators.BIOMETRIC_STRONG)

EXPECTED RESULTS

Receive BIOMETRIC_SUCCESS.

OBSERVED RESULTS

Receive BIOMETRIC_STATUS_UNKNOWN.

NUMBER OF TIMES YOU WERE ABLE TO REPRODUCE (e.g. 3/10)

10/10

Comments

ph...@monzo.com <ph...@monzo.com> #2Oct 9, 2020 04:01PM

Removing from wednesday's list for now since there have been no reports.

cu...@google.com <cu...@google.com> Oct 19, 2020 05:15PM

Reassigned to cu...@google.com.

cu...@google.com <cu...@google.com> Oct 21, 2020 12:25AM

Accepted by cu...@google.com.

ap...@google.com <ap...@google.com> #3Oct 21, 2020 08:33PM

Marked as fixed.

Project: platform/frameworks/support
Branch: androidx-master-dev

commit d02b8afc951f6a9e0fc8e24e19e56a06f1f60fac
Author: Curtis Belmonte <curtislb@google.com>
Date: Wed Sep 11 14:33:54 2019

Tolerate null result in BiometricPrompt fragments

The AndroidX BiometricPrompt API for onAuthenticationSucceeded requires
a non-null AuthenticationResult, so we construct one from the platform
BiometricPrompt or FingerprintManagerCompat result in BiometricFragment
and FingerprintHelperFragment, respectively, when calling this method.
However, the platform API does not guarantee that the result it provides
will be non-null, in which case the current implementation would crash.

This commit fixes the issue by creating an AuthenticationResult with
null crypto when handling a null result in either of these places. It
also adds unit tests to verify the new behavior.

Test: ./gradlew biometric:connectedAndroidTest
Fixes: 138862251
Change-Id: I540dd3b4ebdf100553b4fac609f3d928ec69ebfb

A biometric/src/androidTest/java/androidx/biometric/BiometricFragmentTest.java
A biometric/src/androidTest/java/androidx/biometric/FingerprintHelperFragmentTest.java
M biometric/src/main/java/androidx/biometric/BiometricFragment.java
M biometric/src/main/java/androidx/biometric/FingerprintHelperFragment.java

https://android-review.googlesource.com/1122743

https://goto.google.com/android-sha1/d02b8afc951f6a9e0fc8e24e19e56a06f1f60fac

ph...@monzo.com <ph...@monzo.com> #4Oct 23, 2020 08:17AM

This will fix the problem for the Pixel 4 & Pixel 4 XL, but as per #2 it's also broken for non-Samsung fingerprint devices on API 29.

[Deleted User] <[Deleted User]> #5Dec 20, 2020 02:23PM

I can see this problem on Motorola One Vision, API 29 when using Biometric 1.1.0-rc01 (I believe that on 1.1.0-beta01 worked fine). Can we reopen this bug?

re...@infinum.com <re...@infinum.com> #6Jan 7, 2021 10:16AM

I can confirm that this issue happens on Huawei Mate 20 Pro (LYA-L29) and Xiaomi Mi 9T. Both devices run on Android 10 (API level 29).

re...@infinum.com <re...@infinum.com> #7Jan 7, 2021 10:18AM

Above scenario tested with biometric library version 1.1.0-rc01