biometric_storage icon indicating copy to clipboard operation
biometric_storage copied to clipboard

Published 20 hours ago verified publisher icon authpass

Android/iOS: Secure data still accesible after fingerprint added

Open petro-i opened this issue 3 years ago • 5 comments

Current behavior is that on adding/changing fingerprint/faceId the data securely stored is not deleted/invalidated. So basically anyone knows phone password can use app developed with this plugin, but it is not the same as knowing password/secret of the user of the app.

On new fingerprint added data securely stored must not be accessible (key invalidated).

Please fix, because of this issue I cannot see real difference between this Plugin and local_auth.

petro-i avatar Mar 30 '21 15:03 petro-i

the difference is that this plugin encrypts data using a key which is stored in the keystore. While afaik local_auth just tells you to that a user is authenticated.

I don't think your feature request is currently possible. See https://github.com/authpass/biometric_storage/issues/11#issuecomment-694551105

If you find a solution, feel free to open a PR.

hpoul avatar Mar 30 '21 16:03 hpoul

Sorry but from security point of view "loacal_auth + flutter_secure_storage == this plugin", so, no added value (( See how it should be done in right way on android StackOverflow, iOS is different story.

petro-i avatar Mar 31 '21 04:03 petro-i

@totalerex feel free to do so

hpoul avatar Mar 31 '21 05:03 hpoul

Any update?

beheobong avatar Jul 13 '22 02:07 beheobong

@beheobong the only news being, that after refactoring away from androidx.security i think this is actually possible, since we support per-use authentication.. But it needs some good assert checks (ie use duration must be <= 0). Feel free to submit a PR

hpoul avatar Jul 13 '22 07:07 hpoul