| <html devsite> |
| <head> |
| <title>Biometrics</title> |
| <meta name="project_path" value="/_project.yaml" /> |
| <meta name="book_path" value="/_book.yaml" /> |
| </head> |
| <body> |
| <!-- |
| Copyright 2018 The Android Open Source Project |
| |
| Licensed under the Apache License, Version 2.0 (the "License"); |
| you may not use this file except in compliance with the License. |
| You may obtain a copy of the License at |
| |
| //www.apache.org/licenses/LICENSE-2.0 |
| |
| Unless required by applicable law or agreed to in writing, software |
| distributed under the License is distributed on an "AS IS" BASIS, |
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| See the License for the specific language governing permissions and |
| limitations under the License. |
| --> |
| <p> |
| Android 9 and higher includes a <a |
| href="https://developer.android.com/reference/android/hardware/biometrics/BiometricPrompt" |
| class="external">BiometricPrompt API</a> that app developers can use to |
| integrate biometric authentication into their applications in a device- and |
| modality-agnostic fashion. Only strong biometrics can integrate with |
| <code>BiometricPrompt</code>. For more details, see <a |
| href="/security/biometric/measure#strong-weak-unlocks">Measuring Biometric |
| Unlock Security</a>. |
| </p> |
| |
| <h2 id="source">Source</h2> |
| <p> |
| Android 9 only includes fingerprint integration for <a |
| href="https://android.googlesource.com/platform/frameworks/base/+/master/core/java/android/hardware/biometrics" |
| class="external">BiometricPrompt</a>. However, integrated support for other |
| biometric modalities are forthcoming. |
| </p> |
| <p> |
| In Android 9 and higher, the <a |
| href="https://developer.android.com/reference/android/hardware/fingerprint/FingerprintManager" |
| class="external">FingerprintManager</a> API is deprecated. If your bundled and |
| system apps use this API, update them to use <code>BiometricPrompt</code> |
| instead. |
| </p> |
| |
| <h2 id="implementation">Implementation</h2> |
| <p> |
| To ensure that users and developers have a seamless biometric experience, |
| integrate your biometric stack with <code>BiometricPrompt</code>. Devices that |
| enable <code>BiometricPrompt</code> API for any modality, including face, |
| fingerprint, and iris, must adhere to these <a |
| href="/security/biometric/measure#strong-weak-unlocks">strength |
| requirements</a>. If they do not meet the strength requirements, then they |
| cannot implement this API. |
| </p> |
| <p> |
| To integrate your biometric stack with <code>BiometricPrompt</code>: |
| </p> |
| <ol> |
| <li>Add an instance of your <code><var>Biometric</var>Manager</code> class in <code><a |
| href="https://android.googlesource.com/platform/frameworks/base/+/master/core/java/android/hardware/biometrics/BiometricPrompt.java" |
| class="external">/frameworks/base/core/java/android/hardware/biometrics/BiometricPrompt.java</a></code></li> |
| <li>Make sure your instance hooks the <code><a |
| href="https://android.googlesource.com/platform/frameworks/base/+/master/core/java/android/hardware/biometrics/BiometricPrompt.java#467" |
| class="external">authenticate()</a></code> |
| method that <code>BiometricPrompt</code> exposes.</li> |
| <li>Update the framework to honor |
| <a href="https://developer.android.com/reference/android/app/admin/DevicePolicyManager#KEYGUARD_DISABLE_FACE" |
| class="external"><code>KEYGUARD_DISABLE_*</code></a> flags for the added |
| biometrics.</li> |
| </ol> |
| <figure> |
| <img src="/security/images/biometricprompt-architecture.png" |
| alt="BiometricPrompt architecture"> |
| <figcaption> |
| <strong>Figure 1</strong>. <code>BiometricPrompt</code> |
| architecture.</figcaption> |
| </figure> |
| |
| <h2 id="hal-implementation">HAL implementation guidelines</h2> |
| <p> |
| Follow these biometric HAL guidelines to ensure that biometric data is |
| <strong>not leaked</strong> and is <strong>removed</strong> when a user |
| is removed from a device: |
| </p> |
| <ol> |
| <li>Make sure raw biometric data or derivatives (such as templates) are never |
| accessible from outside the sensor driver or secure isolated environment |
| (such as the TEE or Secure Element).</li> |
| <li>If the hardware supports it, limit hardware access to the secure isolated |
| environment and protect it with an SELinux policy. Make the communication |
| channel (e.g. SPI, I2C, etc.) accessible only to the secure isolated |
| environment with an explicit SELinux policy on all device files.</li> |
| <li>To prevent accidental data breach an immunity to attacks, fingerprint |
| acquisition, enrollment, and recognition must occur inside the secure |
| isolated environment.</li> |
| <li>Store only the encrypted form of biometric data or derivatives on the file |
| system, even if the file system itself is encrypted.</li> |
| <li>To protect against replay attacks, sign biometric templates with a private, |
| device-specific key. For Advanced Encryption Standard (AES), at a minimum |
| sign a template with the absolute file-system path, group, and biometric ID |
| such that template files are inoperable on another device or for anyone other |
| than the user that enrolled them on the same device. For example, prevent |
| copying biometric data from a different user on the same device or from |
| another device.</li> |
| <li>Use the file system path provided by the |
| <code>set_active_group()</code>function or provide another way to erase all |
| user template data when the user is removed. It is strongly recommended that |
| biometric template files be stored as encrypted in the path provided. If this |
| is infeasible due to the storage requirements of the secure isolated |
| environment, add hooks to ensure removal of the data when the user is removed |
| or the device is wiped.</li> |
| </ol> |
| |
| <h2 id="customization">Customization</h2> |
| <p> |
| If your device supports multiple biometrics, you can specify a default. However, |
| you must allow users to change their preferred biometric in Settings. |
| </p> |
| |
| <h2 id="validation">Validation</h2> |
| <p> |
| Android 9 updated the <code>FingerprintManager</code> CTS verifier tests to |
| test <code>BiometricPrompt</code> via <code><a |
| href="https://android.googlesource.com/platform/cts/+/master/apps/CtsVerifier/src/com/android/cts/verifier/security/BiometricPromptBoundKeysTest.java">BiometricPromptBoundKeysTest</a></code>. |
| For other biometrics, there are no formal CTS or CTS verifier tests yet.</p> |
| </body> |
| </html> |
| |