• After 15+ years, we've made a big change: Android Forums is now Early Bird Club. Learn more here.

How and where my device store fingerprint results and matches with my next attempt ?

gptshubham595

gptshubham595

Lurker
MAIN QUESTION IS AT BOTTOM



Where my android devices stores scanned fingerprint data and in what format and how it matches with new scanned.



I also know this: :the scan of fingertip is analysed for certain control points and generates a token which is like a password hash.



It generates hash via this:



KeyStore mKeyStore;

String KEY_NAME = UUID.randomUUID().toString();

Cipher mCipher;

mKeyStore = KeyStore.getInstance("AndroidKeyStore");

keyGenerator = KeyGenerator.getInstance(KeyProperties.KEY_ALGORITHM_AES, "AndroidKeyStore");



keyGenerator.init(new

KeyGenParameterSpec.Builder(KEY_NAME,

KeyProperties.PURPOSE_ENCRYPT |

KeyProperties.PURPOSE_DECRYPT)

.setBlockModes(KeyProperties.BLOCK_MODE_CBC)

.setUserAuthenticationRequired(true)

.setEncryptionPaddings(

KeyProperties.ENCRYPTION_PADDING_PKCS7)

.build());

keyGenerator.generateKey();



mCipher = Cipher.getInstance(

KeyProperties.KEY_ALGORITHM_AES + "/"

+ KeyProperties.BLOCK_MODE_CBC + "/"

+ KeyProperties.ENCRYPTION_PADDING_PKCS7);



SecretKey key = (SecretKey) mKeyStore.getKey(KEY_NAME, null);

mCipher.init(Cipher.ENCRYPT_MODE, key);

ALSO

KeyStore ks = KeyStore.getInstance("AndroidKeyStore");

ks.load(null);

KeyStore.Entry entry = ks.getEntry(alias, null);

if (!(entry instanceof PrivateKeyEntry)) {

Log.w(TAG, "Not an instance of a PrivateKeyEntry");

return null;

}



Signature s = Signature.getInstance("SHA256withECDSA");

s.initSign(((PrivateKeyEntry) entry).getPrivateKey());

s.update(data);

byte[] signature = s.sign();

boolean valid = s.verify(signature);



I have used this [URL]https://github.com/googlesamples/android-FingerprintDialog[/URL] but this only provides matching with previously recorded data.



Is editing/extracting or using this hash and storing somewhere else and try to match the newly generated hash with this while storing that security key of android(assuming same for all), is it possible OR ANY OTHERWAY ROUND?
 
Hi, and welcome!

I've moved your development-focused question to the appropriate section to help make sure it gets seen by our more technical members.

I'm not a developer, but I have studied some of the APIs and documentation. The fingerprint data is processed, stored, and compared within a trusted execution environment. You can't access it directly, you can only ask the system "hey does fingerprint match what's already stored?".

You can read the technical details here:
Android Central actually wrote a pretty good overview here:

Hope that helps!
 
codesplice said:
Hi, and welcome!

I've moved your development-focused question to the appropriate section to help make sure it gets seen by our more technical members.

I'm not a developer, but I have studied some of the APIs and documentation. The fingerprint data is processed, stored, and compared within a trusted execution environment. You can't access it directly, you can only ask the system "hey does fingerprint match what's already stored?".

You can read the technical details here:
Android Central actually wrote a pretty good overview here:

Hope that helps!
Click to expand...

One can surely see there can be a option of loop hole where fingerprint match asks for system stored ,Is'nt it?
 
gptshubham595 said:
One can surely see there can be a option of loop hole where fingerprint match asks for system stored ,Is'nt it?
Click to expand...
I'm not quite sure what you're asking. The fingerprint data only exists within that TEE, and it can't be accessed externally - by the OS, an application, or the user. Nothing on the phone knows anything about the fingerprint data except the TEE.

When you scan a fingerprint to log in, that data goes straight to the TEE to compare against the recorded known-good values. If it matches, the TEE returns 'true'; if not, it returns 'false'. The OS/app/user doesn't know anything beyond that boolean response.
 
You must log in or register to reply here.
Back
Top Bottom