en/security/biometric/index.html - platform/docs/source.android.com - Git at Google

 <html devsite>
   <head>
     <title>Biometrics</title>
     <meta name="project_path" value="/_project.yaml" />
     <meta name="book_path" value="/_book.yaml" />
   </head>
   <body>
   <!--
       Copyright 2018 The Android Open Source Project

       Licensed under the Apache License, Version 2.0 (the "License");
       you may not use this file except in compliance with the License.
       You may obtain a copy of the License at

           //www.apache.org/licenses/LICENSE-2.0

       Unless required by applicable law or agreed to in writing, software
       distributed under the License is distributed on an "AS IS" BASIS,
       WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
       See the License for the specific language governing permissions and
       limitations under the License.
   -->
 <p>
 Android 9 and higher includes a <a
 href="https://developer.android.com/reference/android/hardware/biometrics/BiometricPrompt"
 class="external">BiometricPrompt API</a> that app developers can use to
 integrate biometric authentication into their applications in a device- and
 modality-agnostic fashion. Only strong biometrics can integrate with
 <code>BiometricPrompt</code>. For more details, see <a
 href="/security/biometric/measure#strong-weak-unlocks">Measuring Biometric
 Unlock Security</a>.
 </p>

 <h2 id="source">Source</h2>
 <p>
 Android 9 only includes fingerprint integration for <a
 href="https://android.googlesource.com/platform/frameworks/base/+/master/core/java/android/hardware/biometrics"
 class="external">BiometricPrompt</a>. However, integrated support for other
 biometric modalities are forthcoming.
 </p>
 <p>
 In Android 9 and higher, the <a
 href="https://developer.android.com/reference/android/hardware/fingerprint/FingerprintManager"
 class="external">FingerprintManager</a> API is deprecated. If your bundled and
 system apps use this API, update them to use <code>BiometricPrompt</code>
 instead.
 </p>

 <h2 id="implementation">Implementation</h2>
 <p>
 To ensure that users and developers have a seamless biometric experience,
 integrate your biometric stack with <code>BiometricPrompt</code>. Devices that
 enable <code>BiometricPrompt</code> API for any modality, including face,
 fingerprint, and iris, must adhere to these <a
 href="/security/biometric/measure#strong-weak-unlocks">strength
 requirements</a>. If they do not meet the strength requirements, then they
 cannot implement this API.
 </p>
 <p>
 To integrate your biometric stack with <code>BiometricPrompt</code>:
 </p>
 <ol>
   <li>Add an instance of your <code><var>Biometric</var>Manager</code> class in <code><a
   href="https://android.googlesource.com/platform/frameworks/base/+/master/core/java/android/hardware/biometrics/BiometricPrompt.java"
   class="external">/frameworks/base/core/java/android/hardware/biometrics/BiometricPrompt.java</a></code></li>
   <li>Make sure your instance hooks the <code><a
   href="https://android.googlesource.com/platform/frameworks/base/+/master/core/java/android/hardware/biometrics/BiometricPrompt.java#467"
   class="external">authenticate()</a></code>
   method that <code>BiometricPrompt</code> exposes.</li>
   <li>Update the framework to honor
     <a href="https://developer.android.com/reference/android/app/admin/DevicePolicyManager#KEYGUARD_DISABLE_FACE"
        class="external"><code>KEYGUARD_DISABLE_*</code></a> flags for the added
      biometrics.</li>
 </ol>
 <figure>
   <img src="/security/images/biometricprompt-architecture.png"
        alt="BiometricPrompt architecture">
   <figcaption>
     <strong>Figure 1</strong>. <code>BiometricPrompt</code>
     architecture.</figcaption>
 </figure>

 <h2 id="hal-implementation">HAL implementation guidelines</h2>
 <p>
 Follow these biometric HAL guidelines to ensure that biometric data is
 <strong>not leaked</strong> and is <strong>removed</strong> when a user
 is removed from a device:
 </p>
 <ol>
  <li>Make sure raw biometric data or derivatives (such as templates) are never
   accessible from outside the sensor driver or secure isolated environment
   (such as the TEE or Secure Element).</li>
  <li>If the hardware supports it, limit hardware access to the secure isolated
   environment and protect it with an SELinux policy. Make the communication
   channel (e.g. SPI, I2C, etc.) accessible only to the secure isolated
   environment with an explicit SELinux policy on all device files.</li>
  <li>To prevent accidental data breach an immunity to attacks, fingerprint
    acquisition, enrollment, and recognition must occur inside the secure
    isolated environment.</li>
  <li>Store only the encrypted form of biometric data or derivatives on the file
    system, even if the file system itself is encrypted.</li>
  <li>To protect against replay attacks, sign biometric templates with a private,
    device-specific key. For Advanced Encryption Standard (AES), at a minimum
    sign a template with the absolute file-system path, group, and biometric ID
    such that template files are inoperable on another device or for anyone other
    than the user that enrolled them on the same device. For example, prevent
    copying biometric data from a different user on the same device or from
    another device.</li>
  <li>Use the file system path provided by the
    <code>set_active_group()</code>function or provide another way to erase all
    user template data when the user is removed. It is strongly recommended that
    biometric template files be stored as encrypted in the path provided. If this
    is infeasible due to the storage requirements of the secure isolated
    environment, add hooks to ensure removal of the data when the user is removed
    or the device is wiped.</li>
 </ol>

 <h2 id="customization">Customization</h2>
 <p>
 If your device supports multiple biometrics, you can specify a default. However,
 you must allow users to change their preferred biometric in Settings.
 </p>

 <h2 id="validation">Validation</h2>
 <p>
 Android 9 updated the <code>FingerprintManager</code> CTS verifier tests to
 test <code>BiometricPrompt</code> via <code><a
 href="https://android.googlesource.com/platform/cts/+/master/apps/CtsVerifier/src/com/android/cts/verifier/security/BiometricPromptBoundKeysTest.java">BiometricPromptBoundKeysTest</a></code>.
 For other biometrics, there are no formal CTS or CTS verifier tests yet.</p>
 </body>
 </html>
	<html devsite>
	<head>
	<title>Biometrics</title>
	<meta name="project_path" value="/_project.yaml" />
	<meta name="book_path" value="/_book.yaml" />
	</head>
	<body>
	<!--
	Copyright 2018 The Android Open Source Project

	Licensed under the Apache License, Version 2.0 (the "License");
	you may not use this file except in compliance with the License.
	You may obtain a copy of the License at

	//www.apache.org/licenses/LICENSE-2.0

	Unless required by applicable law or agreed to in writing, software
	distributed under the License is distributed on an "AS IS" BASIS,
	WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	See the License for the specific language governing permissions and
	limitations under the License.
	-->
	<p>
	Android 9 and higher includes a <a
	href="https://developer.android.com/reference/android/hardware/biometrics/BiometricPrompt"
	class="external">BiometricPrompt API</a> that app developers can use to
	integrate biometric authentication into their applications in a device- and
	modality-agnostic fashion. Only strong biometrics can integrate with
	<code>BiometricPrompt</code>. For more details, see <a
	href="/security/biometric/measure#strong-weak-unlocks">Measuring Biometric
	Unlock Security</a>.
	</p>

	<h2 id="source">Source</h2>
	<p>
	Android 9 only includes fingerprint integration for <a
	href="https://android.googlesource.com/platform/frameworks/base/+/master/core/java/android/hardware/biometrics"
	class="external">BiometricPrompt</a>. However, integrated support for other
	biometric modalities are forthcoming.
	</p>
	<p>
	In Android 9 and higher, the <a
	href="https://developer.android.com/reference/android/hardware/fingerprint/FingerprintManager"
	class="external">FingerprintManager</a> API is deprecated. If your bundled and
	system apps use this API, update them to use <code>BiometricPrompt</code>
	instead.
	</p>

	<h2 id="implementation">Implementation</h2>
	<p>
	To ensure that users and developers have a seamless biometric experience,
	integrate your biometric stack with <code>BiometricPrompt</code>. Devices that
	enable <code>BiometricPrompt</code> API for any modality, including face,
	fingerprint, and iris, must adhere to these <a
	href="/security/biometric/measure#strong-weak-unlocks">strength
	requirements</a>. If they do not meet the strength requirements, then they
	cannot implement this API.
	</p>
	<p>
	To integrate your biometric stack with <code>BiometricPrompt</code>:
	</p>
	<ol>
	<li>Add an instance of your <code><var>Biometric</var>Manager</code> class in <code><a
	href="https://android.googlesource.com/platform/frameworks/base/+/master/core/java/android/hardware/biometrics/BiometricPrompt.java"
	class="external">/frameworks/base/core/java/android/hardware/biometrics/BiometricPrompt.java</a></code></li>
	<li>Make sure your instance hooks the <code><a
	href="https://android.googlesource.com/platform/frameworks/base/+/master/core/java/android/hardware/biometrics/BiometricPrompt.java#467"
	class="external">authenticate()</a></code>
	method that <code>BiometricPrompt</code> exposes.</li>
	<li>Update the framework to honor
	<a href="https://developer.android.com/reference/android/app/admin/DevicePolicyManager#KEYGUARD_DISABLE_FACE"
	class="external"><code>KEYGUARD_DISABLE_*</code></a> flags for the added
	biometrics.</li>
	</ol>
	<figure>
	<img src="/security/images/biometricprompt-architecture.png"
	alt="BiometricPrompt architecture">
	<figcaption>
	<strong>Figure 1</strong>. <code>BiometricPrompt</code>
	architecture.</figcaption>
	</figure>

	<h2 id="hal-implementation">HAL implementation guidelines</h2>
	<p>
	Follow these biometric HAL guidelines to ensure that biometric data is
	<strong>not leaked</strong> and is <strong>removed</strong> when a user
	is removed from a device:
	</p>
	<ol>
	<li>Make sure raw biometric data or derivatives (such as templates) are never
	accessible from outside the sensor driver or secure isolated environment
	(such as the TEE or Secure Element).</li>
	<li>If the hardware supports it, limit hardware access to the secure isolated
	environment and protect it with an SELinux policy. Make the communication
	channel (e.g. SPI, I2C, etc.) accessible only to the secure isolated
	environment with an explicit SELinux policy on all device files.</li>
	<li>To prevent accidental data breach an immunity to attacks, fingerprint
	acquisition, enrollment, and recognition must occur inside the secure
	isolated environment.</li>
	<li>Store only the encrypted form of biometric data or derivatives on the file
	system, even if the file system itself is encrypted.</li>
	<li>To protect against replay attacks, sign biometric templates with a private,
	device-specific key. For Advanced Encryption Standard (AES), at a minimum
	sign a template with the absolute file-system path, group, and biometric ID
	such that template files are inoperable on another device or for anyone other
	than the user that enrolled them on the same device. For example, prevent
	copying biometric data from a different user on the same device or from
	another device.</li>
	<li>Use the file system path provided by the
	<code>set_active_group()</code>function or provide another way to erase all
	user template data when the user is removed. It is strongly recommended that
	biometric template files be stored as encrypted in the path provided. If this
	is infeasible due to the storage requirements of the secure isolated
	environment, add hooks to ensure removal of the data when the user is removed
	or the device is wiped.</li>
	</ol>

	<h2 id="customization">Customization</h2>
	<p>
	If your device supports multiple biometrics, you can specify a default. However,
	you must allow users to change their preferred biometric in Settings.
	</p>

	<h2 id="validation">Validation</h2>
	<p>
	Android 9 updated the <code>FingerprintManager</code> CTS verifier tests to
	test <code>BiometricPrompt</code> via <code><a
	href="https://android.googlesource.com/platform/cts/+/master/apps/CtsVerifier/src/com/android/cts/verifier/security/BiometricPromptBoundKeysTest.java">BiometricPromptBoundKeysTest</a></code>.
	For other biometrics, there are no formal CTS or CTS verifier tests yet.</p>
	</body>
	</html>