45046ce708
* Create rule S6293 * init rspec s6293 * improve description and add java subtask * fixes after review Co-authored-by: eric-therond-sonarsource <eric-therond-sonarsource@users.noreply.github.com> Co-authored-by: eric-therond-sonarsource <eric.therond@sonarsource.com>
15 lines
1.2 KiB
Plaintext
15 lines
1.2 KiB
Plaintext
Android comes with Android KeyStore, a secure container for storing key materials. It's possible to define certain keys to be unlocked when users authenticate using biometric credentials. This way, even if the application process is compromised, the attacker cannot access keys, as presence of the authorized user is required.
|
|
|
|
These keys can be used, to encrypt, sign or create a message authentication code (MAC) as proof that the authentication result has not been tampered with. This protection defeats the scenario where an attacker with physical access to the device would try to hook into the application process and call the ``++onAuthenticationSucceeded++`` method directly. Therefore he would be unable to extract the sensitive data or to perform the critical operations protected by the biometric authentication.
|
|
|
|
|
|
== Ask Yourself Whether
|
|
The application contains:
|
|
|
|
* Cryptographic keys / sensitive information that need to be protected using biometric authentication.
|
|
|
|
There is a risk if you answered yes to this question.
|
|
|
|
== Recommended Secure Coding Practices
|
|
|
|
It's recommended to tie the biometric authentication to a cryptographic operation by using a ``++CryptoObject++`` during authentication. |