Rule Definition
Running an application which does not fail of/correctly use the platform capability is a mandatory step from development team. The defining characteristic of risks in this category of rules is that the platform (iOS, Android, Windows Phone, etc.) provides a feature or a capability that is documented and well understood.
In Android 9, the system provides biometric authentication dialogs on behalf of your app. This functionality creates a standardized look, feel, and placement for the dialog, giving users more confidence that they're authenticating against a trusted biometric credential checker.
Remediation
Always check the device supports Biometric capability before using BiometricPrompt API
This must be done with PackageManager.FEATURE_FINGERPRINT. If a device doesn't support biometric authentication, you can fall back to verifying the user's PIN, pattern, or password using the createConfirmDeviceCredentialIntent() method.
Violation Code Sample
public class MainActivity extends AppCompatActivity
implements NavigationView.OnNavigationItemSelectedListener {
...
@Override
public boolean onNavigationItemSelected(MenuItem item) {
// Handle navigation view item clicks here.
int id = item.getItemId();
if (id == R.id.nav_register) {
...
// Create biometricPrompt
mBiometricPrompt = new BiometricPrompt.Builder(this)
.setDescription("Description")
.setTitle("Title")
.setSubtitle("Subtitle")
.setNegativeButton("Cancel", getMainExecutor(), new DialogInterface.OnClickListener() {
@Override
public void onClick(DialogInterface dialogInterface, int i) {
Log.i(TAG, "Cancel button clicked");
}
})
.build();
CancellationSignal cancellationSignal = getCancellationSignal();
BiometricPrompt.AuthenticationCallback authenticationCallback = getAuthenticationCallback();
}
...
}
...
}
Fixed Code Sample
public class MainActivity extends AppCompatActivity
implements NavigationView.OnNavigationItemSelectedListener {
...
/**
* Before using biometric prompt, we need to check system feature to ensure that the device supports
fingerprint, iris, or face.
* Currently, there is no FEATURE_IRIS and FEATURE_FACE constant on PackageManager
* So, only check FEATURE_FINGERPRINT
* @return
*/
private boolean isSupportBiometricPrompt() {
PackageManager packageManager = this.getPackageManager();
if (packageManager.hasSystemFeature(PackageManager.FEATURE_FINGERPRINT)) {
return true;
}
return false;
}
@Override
public boolean onNavigationItemSelected(MenuItem item) {
// Handle navigation view item clicks here.
int id = item.getItemId();
if (id == R.id.nav_register) {
...
if (isSupportBiometricPrompt()) {
// Create biometricPrompt
mBiometricPrompt = new BiometricPrompt.Builder(this)
.setDescription("Description")
.setTitle("Title")
.setSubtitle("Subtitle")
.setNegativeButton("Cancel", getMainExecutor(), new DialogInterface.OnClickListener() {
@Override
public void onClick(DialogInterface dialogInterface, int i) {
Log.i(TAG, "Cancel button clicked");
}
})
.build();
CancellationSignal cancellationSignal = getCancellationSignal();
BiometricPrompt.AuthenticationCallback authenticationCallback = getAuthenticationCallback();
}
}
...
}
...
}
Reference
https://developer.android.com/reference/android/content/pm/PackageManager.html#FEATURE_FINGERPRINT
Related Technologies
Technical Criterion
Secure Coding - Input Validation
About CAST Appmarq
CAST Appmarq is by far the biggest repository of data about real IT systems. It's built on thousands of analyzed applications, made of 35 different technologies, by over 300 business organizations across major verticals. It provides IT Leaders with factual key analytics to let them know if their applications are on track.