Android jetpack biometric DeviceCredentialHandlerActivity exported=true really needed?

Question

I implemented the new biometric lib using setDeviceCredentialAllowed(true) as shown in the official documentation

In this lib there is an activity being used "DeviceCredentialHandlerActivity", this activity has exported=true in the manifest, why is this/is this really needed? As many should know exporting activities should be avoided if possible for security reassons. I have overridden the property with:

<activity android:name="androidx.biometric.DeviceCredentialHandlerActivity"
            android:exported="false"
            tools:replace="android:exported">
        </activity>

and authentication with fingerprint/password is still working on Android 29 AND below.

did you find this created no problems on older devices? – HannahCarney Jan 25 '21 at 14:50 — HannahCarney, Jan 25 '21 at 14:50

score 1 · Answer 1 · edited Jun 20 '20 at 09:12

1

The commit message for this change:

Export biometric DeviceCredentialHandlerActivity

Ensures that DeviceCredentialHandlerActivity is exported so that other activities can launch it through BiometricPrompt without having to explicitly add it to the corresponding app's manifest.

edited Jun 20 '20 at 09:12

Community

1
1

answered Apr 06 '20 at 10:18

Tyborg

81
4

1

Thanks for that, but I'm still not sure in what specific case this would be needed, do you understand it? – David Apr 07 '20 at 01:33

Android jetpack biometric DeviceCredentialHandlerActivity exported=true really needed?

1 Answers1