Rolland Liu Rolland Liu - 1 month ago 14
Android Question

Samsung Galaxy S7 Edge can't detect fingerprint catalog change when using Google Fingerprint API

I'm working on a project related to fingerprint and need to handle the fingerprint catalog change. I use secrete key which generated with setUserAuthenticationRequired(true) options to check the fingerprint change. The key should be irreversibly invalidated once a new fingerprint is enrolled or once\ no more fingerprints are enrolled, and attempts to initialize cryptographic operations using such keys will throw KeyPermanentlyInvalidatedException.

I found it works on Galaxy s7, but it doesn't work on on s7 edge. On s7 edge, the key is still validated when adding a new fingerprint.

Below is my code and it's from google FingerprintDialog sample application, did you see this issue before and have any solutions? Thanks!

/**
* Creates a symmetric key in the Android Key Store which can only be used after the user has
* authenticated with fingerprint.
*/
public void createKey() {
try {
mKeyStore.load(null);
mKeyGenerator.init(new KeyGenParameterSpec.Builder(KEY_NAME,
KeyProperties.PURPOSE_ENCRYPT |
KeyProperties.PURPOSE_DECRYPT)
.setBlockModes(KeyProperties.BLOCK_MODE_CBC)
// Require the user to authenticate with a fingerprint to authorize every use
// of the key
.setUserAuthenticationRequired(true)
.setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_PKCS7)
.build());
mKeyGenerator.generateKey();
} catch (NoSuchAlgorithmException | InvalidAlgorithmParameterException
| CertificateException | IOException e) {
throw new RuntimeException(e);
}
}


/**
* Initialize the {@link Cipher} instance with the created key in the {@link #createKey()}
* method.
*/
private boolean initCipher() {
try {
mKeyStore.load(null);
SecretKey key = (SecretKey) mKeyStore.getKey(KEY_NAME, null);
mCipher.init(Cipher.ENCRYPT_MODE, key);
return true;
} catch (KeyPermanentlyInvalidatedException e) { //It should throw this exception when adding a new fingerprint, but on s7 edge, it doesn't throw
return false;
} catch (KeyStoreException | CertificateException | UnrecoverableKeyException | IOException
| NoSuchAlgorithmException | InvalidKeyException e) {
throw new RuntimeException("Failed to init Cipher", e);
}
}


Model number: SM-G935W8,
Android version: 6.0.1,
Kenel version: 3.18.14-8421152,
Build number: MMB29K. G935W8VLU1APG1,
Android security patch level: July 1, 2016

Answer

This issue has been fixed by Samsung's OS update: Kenel version: 3.18.14-9105000, Build number: MMB29K. G935W8VLU2APG1, Android security patch level: September 1, 2016

Comments