android应用活保护_如何保护Android的应用生物特征认证

android应用活保护

Introduction

介绍

Vulnerabilities related to authentication and authorisation have always been consistently ranked within Open Web Application Security Project (OWASP)’s Top 10 Mobile Risk. In this article, I will be sharing my observations on Android’s app biometric authentication.

与身份验证和授权相关的漏洞始终被列为Open Web应用程序安全性项目(OWASP)的十大移动风险之一。 在本文中，我将分享我对Android应用程序生物识别身份验证的看法。

Android’s app biometric authentication works by authenticating the user against credentials stored on the device, such as Keystore. The KeyStore serves as a storage facility for cryptographic keys and certificates. In this case, the user can authenticate using functionalities like:

Android的应用生物特征认证通过针对用户存储在设备上的凭据(例如Keystore)进行身份验证来工作。 KeyStore用作加密密钥和证书的存储工具。 在这种情况下，用户可以使用以下功能进行身份验证：

· PINs or Passwords, or

·PIN或密码，或

· Biometrics, such as facial features, irises, or fingerprints.

·生物识别，例如面部特征，虹膜或指纹。

Developers can also choose between two types of key material to implement and store in Keystore using biometric authentication:

开发人员还可以选择两种类型的密钥材料，以使用生物特征认证来实施和存储在Keystore中：

1. Symmetric keys

1.对称键

These work like passwords. The Android Developer Guide recommends the use of symmetric keys to secure access to databases or offline files.

这些工作就像密码。 《 Android开发人员指南》建议使用对称密钥来保护对数据库或脱机文件的访问。

2. Asymmetric keys

2.非对称密钥

In this case, the app will provide a key pair, comprising of a public key and a private key. The public key can be safely sent across the internet and stored on a remote server. The private key can later be used to sign data, such that the signature can be verified using the public key. Signed data cannot be tampered with, and positively identifies the original author of the data. Asymmetric keys are preferred for network logins or authenticating online transactions.

在这种情况下，应用程序将提供一个密钥对，其中包括一个公共密钥和一个私有密钥。 公钥可以安全地通过Internet发送并存储在远程服务器上。 私钥稍后可以用于对数据签名，以便可以使用公钥验证签名。 签名数据不能被篡改，并且可以肯定地标识数据的原始作者。 非对称密钥是网络登录或认证在线交易的首选。

Biometric Authentication

生物认证

While biometric authentication offers users a convenient way to prove their identities, it also introduces an additional attack surface. The Android Developer Documentation provides an interesting overview and indicators for measuring biometric security on a mobile device.

虽然生物特征认证为用户提供了一种方便的方式来证明其身份，但同时也引入了额外的攻击面。 Android开发人员文档提供了有趣的概述和指标，用于衡量移动设备上的生物识别安全性。

The Android platform offers three different classes for biometric authentication:

Android平台为生物识别提供了三种不同的类：

1. BiometricManager — Used on devices running on Android 10 (API 29) and above, this class queries the framework’s version of BiometricManager. On Android 9.0 (API 28) and prior versions, it queries FingerprintManagerCompact. The BiometricManager that can be used to verify biometric hardware is available on the device and is configured by the user.

1. BiometricManager －在运行于Android 10(API 29)及更高版本的设备上使用，此类查询BiometricManager框架的版本。 在Android 9.0(API 28)和更早版本上，它查询FingerprintManagerCompact 。 可用于验证生物识别硬件的BiometricManager在设备上可用并由用户配置。

2. BiometricPrompt — Introduced in Android 9.0 (API 28), it serves as a class that manages a system-provided biometric dialog. The BiometricPrompt class is a significant improvement to FingerprintManager as it provides the user interface (UI) for biometric authentication on Android and supports more sensors than just the fingerprint sensor.

2. BiometricPrompt在Android 9.0(API 28)中引入，它用作管理系统提供的生物识别对话框的类。 BiometricPrompt类对FingerprintManager了重大改进，因为它为Android上的生物识别提供了用户界面(UI)，并且不仅支持指纹传感器，还支持更多传感器。

3. FingerprintManager -deprecated in Android 9.0 (API 28).

3. Android 9.0(API 28)中不推荐使用FingerprintManager 。

https://source.android.com/security/biometric https://source.android.com/security/biometric的 BiometricPrompt架构

Note: This article will focus on BiometricManager and BiometricPrompt. FingerprintManager has been deprecated and will not be covered in this article.

注意：本文将重点介绍BiometricManager和BiometricPrompt。 FingerprintManager已被弃用，本文将不涉及。

An example of a biometric authentication bypass

生物特征认证绕过的示例

Research conducted by F-Secure Labs revealed that 70% of the sampled mobile applications on Google Play store that have implemented biometric authentication can be easily bypassed. Additionally, 50% of these applications store sensitive data, which can be retrieved by attackers without valid biometric credentials. To demonstrate the potential impact of an insecure biometric authentication, I have written a demo app to lock/unlock the EditText field using one’s biometric credentials.

F-Secure Labs进行的研究表明，可以轻松绕过Google Play商店中70％的已实施生物识别身份验证的示例移动应用程序。 此外，这些应用程序中有50％存储敏感数据，攻击者可以在没有有效生物特征凭