Android Marshmallow has introduced a newly integrated API to better support user authentication and user verification. We can now use the new
Fingerprint API for devices with a fingerprint scanner in order to authenticate the user. We can also set a specific time for user lock screen verification to be considered valid in the app login. In this chapter, we will try and go over these additions and explain how to use them:
Android Marshmallow now allows us, the developers, to authenticate users with their fingerprint scans when using such authentication scanners on supported devices.
Fingerprint API was added to Android Marshmallow via a whole new package:
The package contains four classes:
Each class has a specific role in our fingerprint authentication process.
The preceding four classes of the
android.hardware.fingerprint package can be explained in the following manner:
FingerprintManager: Manage access to fingerprint hardware
FingerprintManager.AuthenticationCallback: Callback used in the
FingerprintManager.AuthenticationResult: Result container for
Cryptoobject to use with
Say, we want to authenticate users via their fingerprints. A device with a fingerprint sensor must be in use; otherwise, we can’t use this API. We need to get an instance of
FingerprintManager, and then we call the
authenticate() method. We must implement a specific user interface for the fingerprint authentication flow, and the standard Android fingerprint icon (
c_fp_40px.png) is included in the source. We need to add the appropriate permission to our app’s manifest:
<uses-permission android:name="android.permission.USE_FINGERPRINT" />
Right now, we don’t have a device with a fingerprint sensor, so we will need to test our code from an emulator. (Nexus 5X and Nexus 6P are still with limited supply)
Android SDK Tools Revision 24.3 (at least) must be installed. Now, we navigate to Settings | Security | Fingerprint and add one fingerprint.
adbcommand, tricking the sensor into capturing a mock fingerprint:
adb -e emu finger touch <finger_id>
The resultant screen should look like the following screenshot:
finger_id =1for a single finger. The same command also emulates fingerprint touch events on the lock screen or in our app.
Now, we can launch our application and see that we can use the fingerprint as our authentication method when the user purchases an item.
Ever got the itch when you wanted to use an app after device unlock only to find that you need to log in again or enter the app password again? Well, now we can query the device and check whether it was unlocked recently and how recent was it. This will give our users a chance to avoid all the fuss that comes with using our app. Note that this must be used in conjunction with a public or secret key implementation for user authentication. If you want to read more about the Android Keystore System, head to https://developer.android.com/training/articles/keystore.html.
KeyguardManager and check whether our lock screen is secured via the
isKeyguardSecure() method. Once we know that it’s secured, we can try and use the feature; otherwise, it’d imply that the user didn’t set a secure lock screen and this feature is a no-op.
We generate a symmetric key with
KeyGenerator in Android KeyStore, which can only be used after the user has authenticated with device credentials within the last x seconds. Setting this value (x) is done via the
setUserAuthenticationValidityDurationSeconds() method, when we set up
Try and display the reauthentication dialog as less as possible. When using a cryptographic object, you should try and verify its expiry, and only if it passes, use
createConfirmDeviceCredentialIntent() to reauthenticate the user.
Android Marshmallow also added a new flag to the manifest. This flag indicates whether the application is using a
cleartext network traffic such as HTTP. The flag is
android:usesCleartextTraffic, and the default value is
true. Setting this to
false means that some system API components—such as HTTP and FTP stacks,
MediaPlayer—will refuse to issue HTTP traffic and will only allow HTTPS. It would be a good practice to build a third-party library that honor this setting as well. Why is this good? Well,
cleartext traffic lacks confidentiality, authenticity, and protections against tampering, and data can be tempered without it being detected. This is a major risk for applications, and we can now use it to try and enforce a stronger and more secure data transport to/from our applications.
We need to remember that this flag is honored on the basis of the best effort, and it’s not possible to prevent all
cleartext traffic from Android applications given that they have permissions to use the
Socket API, for instance, where the
Socket API cannot determine
cleartext usage. We can check out this flag by reading it from either
WebView does not honor this flag, which means that it will load HTTP even if the flag is
During app development, we can use
StrictMode and identify any
cleartext traffic from our app using
The downside of
usesCleartextTraffic is that it causes app crashes or process termination when it’s not using SSL (short for Secure Socket Layer). This is great in theory but not in production, where your SSL certificate, for some reason, has issues and you reroute the traffic to HTTP. So, pay extra attention to where HTTPS is used in your app and where it’s okay to use HTTP.
Luckily, we have
StrictMode, which now has a way to warn you if your application executes any unencrypted network operations via a
detectCleartextNetwork() method on
StrictMode.VmPolicy.Builder. In our sample project, we have a
ClearTextNetworkUsageActivity activity; when running the
TestStrictHttp productFlavor variant, you will see this in
Android Marshmallow gave us a new API to authenticate users with the
Fingerprint API. We can use the sensor, authenticate the user even within our application, and save it for later use if we want to save the need for user login using the Credentials’ Grace Period capabilities Android Marshmallow introduced.
We also covered a way to make our application more secure using HTTPS only, and the
StrictMode policy, enforced with the help of the
usesCleartextTraffic flag, which allows us to make sure that all the nodes we connect to the outer world and examine the need for are a secure connection or not.
I would like to thank you for reading.
I would like to thank the Android team. This product has changed my life.
The Android ecosystem has great developers contributing by publishing libraries, writing blog posts and answering support questions; I’m proud to be part of it.
Looking forward for future editions.
As we all know, the current COVID-19 situation has brought the entire world to a…
Hackers target web and app frameworks to try and exploit inbuilt weaknesses. Over the years,…