getGenericPassword does not require authentication if the phone's Keychain was recently unlocked from another biometric authentication event #593
Comments
|
Facing the same issue. Thats a really high risk problem which should get addressed soon. |
|
Experiencing same issue on Android! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The opening screen of my application tries the following immediately upon launch or forgrounding
const result = await Keychain.getGenericPassword({
service: 'myapp',
authenticationPrompt: {
title: 'Biometric Sign In',
subtitle: 'Confirm biometrics to continue.',
},
});
This works perfectly in almost all cases, however, if my app is in the foreground when the user unlocks their phone, it appears that the biometric success is persisted for a few moments, and thus they are not prompted again for their biometrics to unlock the Keychain.
Wrapping the Keychain statement in a timeout that forces the app to wait 1 second before trying to get the item from storage as below does fix this issue, however, I don't believe this should be necessary.
setTimeout(async () => {
const result = await Keychain.getGenericPassword({
service: 'molo',
authenticationPrompt: {
title: 'Biometric Sign In',
subtitle: 'Confirm biometrics to continue.',
},
});
},1000}
This appears to be a fairly large security flaw, especially and I was wondering if anyone else had experienced it, or had any ideas as to why this is happening in the first place.
The text was updated successfully, but these errors were encountered: