I'm working on Android FingerPrint native API's for couple of days and there are two things that I'm confused with. The documentation has the examples but doesn't explain why we need to work this way, so please, any security Guru here?
I want to understand in depth the authenticate()
function of the API's, or to be more specific to understand two of the parameters it takes : CryptoObject
and Handler
. It is working "perfect" at my POV when passing null
to both of these parameters. So there is actually two questions:
Why we need to use CryptoObject and/or Handler while calling to authenticate (under what circumstances we want to encode and use not main handler)? Maybe some examples (even not code - but use cases). Thanks in advance. Love this site.
CryptoObject let you sign data. Keys to sign data are stored on secure hardware (Secure Element) on device. Data is signed by this Secure Element. Secure Element can only sign data when Fingerprint is recognized. Keys never go outside Secure Element. Please read this http://android-developers.blogspot.fr/2015/10/new-in-android-samples-authenticating.html
If you just want to authenticate a user
CrytoObject
is unnecessary. If you want encrypt or decrypt data with a key stored in secure storage (secure element in hardware) then you could useCryptoObject
. This secured key is available to crypt or decrypt data only after an authentication.Handler You can optionally provide a
Handler
. If provided,FingerprintManager
will use the Looper from thisHandler
for its inner MyHandler instance.Providing the looper allows us to define what thread to run on and listen for message logging.
Please read this https://www.captechconsulting.com/blogs/introducing-androids-fingerprint-api