0

We have an app that every time asks user to enter PinCode before authenticate. Now we want to integrate authentication process with Google FingerPrint API. We have looked documentation. But in all this implementations we have one truble. So, we want to authenticate user if fingerPrint returns success . But authentication on our system have to go only with PinCode.

So, Where i can save user PinCode securely so that, if FingerPrint returns success to read PinCode decrypt and sent to server?

Take it into account that Shared Preferences is not secure enought.

AEMLoviji
  • 3,217
  • 9
  • 37
  • 61
  • 1
    Save correct PIN in sharedPrefferences. If Finger Print is correct, get that one? – Flummox - don't be evil SE Oct 28 '16 at 08:09
  • @Flummox, thank you but it is not secure to save data on SharedPreferences – AEMLoviji Oct 28 '16 at 08:11
  • Keeping Pincode in Shared preference is not a good idea as 1. Shared preferences can be hacked anytime. 2. Shared preferences can be cleared any time. – Shuddh Oct 28 '16 at 08:13
  • 1
    Better when authicate using fingerprint send fingerprint data to server get that pincode and use it. you will have to update your system for that. – Shuddh Oct 28 '16 at 08:15
  • Nothing on a device is really secure when one has root access. Can you provide a link that shows sharedPreferences can be hacked anytime? (did not know that) – Flummox - don't be evil SE Oct 28 '16 at 08:15
  • Shared prefrences are stored as XML files in android devices. and once you have root access you can get that xml file. – Shuddh Oct 28 '16 at 08:16
  • @Flummox http://stackoverflow.com/questions/9244318/android-sharedpreference-security – Shuddh Oct 28 '16 at 08:20
  • @Shuddh , it sounds good but what do you mean send fingerprint data to server? What type of data does it contain? – AEMLoviji Oct 28 '16 at 08:20
  • I have not worked on fingerprint much. But preety it will return some data. – Shuddh Oct 28 '16 at 08:24
  • see this class FingerprintManager.CryptoObject – Shuddh Oct 28 '16 at 08:24
  • @Flummox, I agree with you using Shared Preferences for this purpose. I do not see any problem if authorization process have been correctly done. So I am going to use Shared Preferences. Additionally i can encrypt my PinCode and save it on Shared Preferences – AEMLoviji Oct 28 '16 at 10:23
  • @AEMLoviji just to know is the pincode which you are using, is this just related to the app and is not related to any sensetive data? – Shuddh Oct 28 '16 at 13:20
  • @Studdh, actually I use this PinCodeas a part of the key that decrypts some user data on Backend. It means without PinCode server side key will not enough for decrypting process – AEMLoviji Oct 28 '16 at 13:28

1 Answers1

2

Shared Preferences is an option for this. But please read up on Shared Preferences Security if you do go for this.

For as noted by user Shuddh, there are a number of ways to gain access to the Shared Preferences. I think it is a good plan to encrypt it.

Community
  • 1
  • 1
Flummox - don't be evil SE
  • 2,109
  • 6
  • 24
  • 46