Understanding Android Fingerprint API authenticate

2019-07-27 07:02发布

问题:

I'm working on Android FingerPrint native API's for couple of days and there are two things that I'm confused with. The documentation has the examples but doesn't explain why we need to work this way, so please, any security Guru here?

I want to understand in depth the authenticate() function of the API's, or to be more specific to understand two of the parameters it takes : CryptoObject and Handler. It is working "perfect" at my POV when passing null to both of these parameters. So there is actually two questions: Why we need to use CryptoObject and/or Handler while calling to authenticate (under what circumstances we want to encode and use not main handler)? Maybe some examples (even not code - but use cases). Thanks in advance. Love this site.

回答1:

CryptoObject let you sign data. Keys to sign data are stored on secure hardware (Secure Element) on device. Data is signed by this Secure Element. Secure Element can only sign data when Fingerprint is recognized. Keys never go outside Secure Element. Please read this http://android-developers.blogspot.fr/2015/10/new-in-android-samples-authenticating.html

If you just want to authenticate a user CrytoObject is unnecessary. If you want encrypt or decrypt data with a key stored in secure storage (secure element in hardware) then you could use CryptoObject. This secured key is available to crypt or decrypt data only after an authentication.

Handler You can optionally provide a Handler. If provided, FingerprintManager will use the Looper from this Handler for its inner MyHandler instance.

private void useHandler(Handler handler) { 
    if (handler != null) { 
        mHandler = new MyHandler(handler.getLooper()); 
    } else if  (mHandler.getLooper() != mContext.getMainLooper()) { 
        mHandler = new MyHandler(mContext.getMainLooper()); 
    } 
}

Providing the looper allows us to define what thread to run on and listen for message logging.

Looper looper = Looper.getMainLooper(); 
looper.setMessageLogging(new Printer() { 
    @Override 
    public void println(String x) { 
        Log.d(TAG, x); 
    } 
}); 
mFingerprintManager.authenticate(cryptoObject, mCancellationSignal, 0, this, new Handler(looper)); 

Please read this https://www.captechconsulting.com/blogs/introducing-androids-fingerprint-api