Categories: AndroidDevelopers

Complete Guide to Authentication in Android 6 Marshmallow

Android Marshmallow has introduced a newly integrated API to better support user authentication and user verification. We can now use the new Fingerprint API for devices with a fingerprint scanner in order to authenticate the user. We can also set a specific time for user lock screen verification to be considered valid in the app login. In this chapter, we will try and go over these additions and explain how to use them:

  • The Fingerprint authentication API
  • Credentials’ Grace Period
  • Cleartext network traffic

The Fingerprint authentication API

Android Marshmallow now allows us, the developers, to authenticate users with their fingerprint scans when using such authentication scanners on supported devices.

The Fingerprint API was added to Android Marshmallow via a whole new package:


The package contains four classes:

  • FingerprintManager
  • FingerprintManager.AuthenticationCallback
  • FingerprintManager.AuthenticationResult
  • FingerprintManager.CryptoObject

Each class has a specific role in our fingerprint authentication process.

How do we use fingerprint authentication?

The preceding four classes of the android.hardware.fingerprint package can be explained in the following manner:

  • FingerprintManager: Manage access to fingerprint hardware
  • FingerprintManager.AuthenticationCallback: Callback used in the auth process
  • FingerprintManager.AuthenticationResult: Result container for auth process
  • FingerprintManager.CryptoObject: SpecificCrypto object to use with FingerprintManager

Say, we want to authenticate users via their fingerprints. A device with a fingerprint sensor must be in use; otherwise, we can’t use this API. We need to get an instance of FingerprintManager, and then we call the authenticate() method. We must implement a specific user interface for the fingerprint authentication flow, and the standard Android fingerprint icon (c_fp_40px.png) is included in the source. We need to add the appropriate permission to our app’s manifest:

<uses-permission android:name="android.permission.USE_FINGERPRINT" />

Right now, we don’t have a device with a fingerprint sensor, so we will need to test our code from an emulator. (Nexus 5X and Nexus 6P are still with limited supply)

Setting up for testing

Android SDK Tools Revision 24.3 (at least) must be installed. Now, we navigate to Settings | Security | Fingerprint and add one fingerprint.

Follow the instructions manually; we are asked to select the PIN and leading us to find the following screenshot:

Finally, we must use a special adb command, tricking the sensor into capturing a mock fingerprint:
adb -e emu finger touch <finger_id>

The resultant screen should look like the following screenshot:

We used finger_id =1 for a single finger. The same command also emulates fingerprint touch events on the lock screen or in our app.

If you need help to set up an emulator, read:

Now, we can launch our application and see that we can use the fingerprint as our authentication method when the user purchases an item.

Credentials’ Grace Period

Ever got the itch when you wanted to use an app after device unlock only to find that you need to log in again or enter the app password again? Well, now we can query the device and check whether it was unlocked recently and how recent was it. This will give our users a chance to avoid all the fuss that comes with using our app. Note that this must be used in conjunction with a public or secret key implementation for user authentication. If you want to read more about the Android Keystore System, head to

We use KeyguardManager and check whether our lock screen is secured via the isKeyguardSecure() method. Once we know that it’s secured, we can try and use the feature; otherwise, it’d imply that the user didn’t set a secure lock screen and this feature is a no-op.

We generate a symmetric key with KeyGenerator in Android KeyStore, which can only be used after the user has authenticated with device credentials within the last x seconds. Setting this value (x) is done via the setUserAuthenticationValidityDurationSeconds() method, when we set up KeyGenerator or KeyPairGenerator.

You can check out the sample code for more information. The activity is called CredGraceActivity.


Try and display the reauthentication dialog as less as possible. When using a cryptographic object, you should try and verify its expiry, and only if it passes, use createConfirmDeviceCredentialIntent() to reauthenticate the user.

Cleartext network traffic

Android Marshmallow also added a new flag to the manifest. This flag indicates whether the application is using a cleartext network traffic such as HTTP. The flag is android:usesCleartextTraffic, and the default value is true. Setting this to false means that some system API components—such as HTTP and FTP stacks, DownloadManager and MediaPlayer—will refuse to issue HTTP traffic and will only allow HTTPS. It would be a good practice to build a third-party library that honor this setting as well. Why is this good? Well, cleartext traffic lacks confidentiality, authenticity, and protections against tampering, and data can be tempered without it being detected. This is a major risk for applications, and we can now use it to try and enforce a stronger and more secure data transport to/from our applications.

We need to remember that this flag is honored on the basis of the best effort, and it’s not possible to prevent all cleartext traffic from Android applications given that they have permissions to use the Socket API, for instance, where the Socket API cannot determine cleartext usage. We can check out this flag by reading it from either ApplicationInfo.flags or NetworkSecurityPolicy.isCleartextTrafficPermitted().


WebView does not honor this flag, which means that it will load HTTP even if the flag is false.

So, what do we do with the cleartext network traffic flag?

During app development, we can use StrictMode and identify any cleartext traffic from our app using StrictMode.VmPolicy.Builder.detectCleartextNetwork().

The downside of usesCleartextTraffic is that it causes app crashes or process termination when it’s not using SSL (short for Secure Socket Layer). This is great in theory but not in production, where your SSL certificate, for some reason, has issues and you reroute the traffic to HTTP. So, pay extra attention to where HTTPS is used in your app and where it’s okay to use HTTP.

Luckily, we have StrictMode, which now has a way to warn you if your application executes any unencrypted network operations via a detectCleartextNetwork() method on StrictMode.VmPolicy.Builder. In our sample project, we have a ClearTextNetworkUsageActivity activity; when running the TestStrictHttp productFlavor variant, you will see this in LogCat.

Wrapping up

Android Marshmallow gave us a new API to authenticate users with the Fingerprint API. We can use the sensor, authenticate the user even within our application, and save it for later use if we want to save the need for user login using the Credentials’ Grace Period capabilities Android Marshmallow introduced.

We also covered a way to make our application more secure using HTTPS only, and the StrictMode policy, enforced with the help of the usesCleartextTraffic flag, which allows us to make sure that all the nodes we connect to the outer world and examine the need for are a secure connection or not.

I would like to thank you for reading.

I would like to thank the Android team. This product has changed my life.

The Android ecosystem has great developers contributing by publishing libraries, writing blog posts and answering support questions; I’m proud to be part of it.

Looking forward for future editions.

Deven Rathore

Deven is an Entrepreneur, and Full-stack developer, Constantly learning and experiencing new things. He currently runs and

Published by
Deven Rathore
Tags: android

Recent Posts

6 Tips for Designing Your Unique Blog

If done correctly, a blog can be hugely successful; it can create a large following,…

2 weeks ago

How to Record and Transcribe a Google Hangouts Meet Video

As we all know, the current COVID-19 situation has brought the entire world to a…

2 weeks ago

5 Signs You Need To Hire A Website Designer

As the digital face of your business, how your website is perceived to the outside…

3 weeks ago

21 Chrome Extensions for Web Development

Since its introduction in 2008, Google Chrome has become the most used and the most…

3 weeks ago

15 cool React Admin Templates

As a react developer, building your Admin Template from scratch can be quite stressful and…

4 weeks ago

Web and App Frameworks Most Susceptible to Hacking

Hackers target web and app frameworks to try and exploit inbuilt weaknesses. Over the years,…

1 month ago