react-native-keychain icon indicating copy to clipboard operation
react-native-keychain copied to clipboard
verified publisher icon oblador

getGenericPassword does not require authentication if the phone's Keychain was recently unlocked from another biometric authentication event

Open ShepSims opened this issue 3 years ago • 2 comments

The opening screen of my application tries the following immediately upon launch or forgrounding

const result = await Keychain.getGenericPassword({ service: 'myapp', authenticationPrompt: { title: 'Biometric Sign In', subtitle: 'Confirm biometrics to continue.', }, });

This works perfectly in almost all cases, however, if my app is in the foreground when the user unlocks their phone, it appears that the biometric success is persisted for a few moments, and thus they are not prompted again for their biometrics to unlock the Keychain.

Wrapping the Keychain statement in a timeout that forces the app to wait 1 second before trying to get the item from storage as below does fix this issue, however, I don't believe this should be necessary.

setTimeout(async () => { const result = await Keychain.getGenericPassword({ service: 'molo', authenticationPrompt: { title: 'Biometric Sign In', subtitle: 'Confirm biometrics to continue.', }, }); },1000}

This appears to be a fairly large security flaw, especially and I was wondering if anyone else had experienced it, or had any ideas as to why this is happening in the first place.

ShepSims avatar Apr 04 '23 23:04 ShepSims

Facing the same issue. Thats a really high risk problem which should get addressed soon.

hraschan avatar May 02 '23 08:05 hraschan

Experiencing same issue on Android!

Abhisflyingsoon avatar May 02 '23 08:05 Abhisflyingsoon