Titanium JIRA Archive
Titanium SDK/CLI (TIMOB)

[TIMOB-24218] Android: Expose Keychain access in Ti.TouchID (Parity with iOS)

GitHub Issuen/a
TypeNew Feature
PriorityCritical
StatusClosed
ResolutionFixed
Resolution Date2017-08-09T22:19:41.000+0000
Affected Version/sn/a
Fix Version/sRelease 6.2.0
ComponentsAndroid
Labelsandroid, keychain-access
ReporterNikita Radaev
AssigneeGary Mathews
Created2016-12-13T19:27:07.000+0000
Updated2017-08-29T23:14:20.000+0000

Description

Now that iOS keychain functionality has been sorted out in TIMOB-20547, we would like someone to look into exposing Android Keychain functionality discussed in [https://developer.android.com/reference/android/security/KeyChain.html]. Currently, I believe Android TouchId module can only check for correct/incorrect fingerprint. We would like to actually save key/value pair and hopefully get some additional security features that native code provides.

Comments

  1. Nikita Radaev 2016-12-13

    Some more info about Android keystore here: https://developer.android.com/training/articles/keystore.html
  2. Ajith Rohini 2016-12-19

    [~nradaev] I had a chat with our R&D and as per them, it took us a bit amount of time to address the iOS ticket and this one might take longer. Currently this is scheduled for Q1/Q2 2017. We apologize for the delay on this. But if you think its critical, please let Saleem know.
  3. Gary Mathews 2017-06-26

    master: https://github.com/appcelerator-modules/ti.touchid/pull/32
  4. Hans Knöchel 2017-06-27

    The CR-review is nearly finished, Gary provided a release to test already, thanks [~gmathews]! https://github.com/appcelerator-modules/ti.touchid/releases/tag/android-2.2.0
  5. Nikita Radaev 2017-06-29

    Great! Are there any docs available? Attached example shows only the very basic case. As far as I know, Android keystore works slightly different than iOS one. I would like to do some testing on our end as well.
  6. Nikita Radaev 2017-07-12

    Hi guys, After a quick test I have a few questions: - Is there a support for fingerprint authentication? - Will there be constraints available like accessControlMode and accessibilityMode for iOS TouchID module? One of our use cases is being able to put a value in the keystore with constraints and then retrieve it using fingerprint. I dont believe Android & iOS TouchID modules will have parity without these two features.
  7. Gary Mathews 2017-07-12

    [~nradaev] - Yes, [here's an example](https://github.com/appcelerator-modules/ti.touchid/blob/master/android/example/app.js) for fingerprint authentication - Nope, those are iOS specific properties Thanks for the use case, I'll implement the ability to do that on Android.
  8. Nikita Radaev 2017-07-13

    Hi Gary, Thank you for a quick reply. I will do some additional testing regarding fingerprint authentication. Speaking of constraints, I understand that accessControlMode and accessibilityMode are iOS specific constants and Android keystore is not as granular. However, the use case I was describing above (ability to retrieve keystore value with a fingerprint) also requires that a passcode is setup on device at the moment of writing/reading of keychain items, ideally controlled by some sort of optional value. Basically, we will have some values that have lower security priority and a couple with a high security priority. For lower security items we just need a basic read/write/remove functionality that is currently covered. For higher security items we would like to force user to have some sort of additional device protection setup. I believe this is possible to achieve using spec.setUserAuthenticationRequried(true). It would also be nice if this constraint could include patterns and pins. As far as I understand its also possible to set a timeout period for how long "authentication" lasts since user inserted his pass/pin/pattern. It would be great if you could expose that value as well, as other use cases may arise in the future. So basically we are hoping you could emulate accessiblityMode: ACCESSIBLE_WHEN_PASSCODE_SET. Please let me know your thoughts on this matter, Nikita.
  9. Gary Mathews 2017-07-18

    [~nradaev] I have updated the 2.2.0 pre-release: https://github.com/appcelerator-modules/ti.touchid/releases/tag/android-2.2.0 
       var TouchID = require('ti.touchid');
       keychainItem = TouchID.createKeychainItem({
           identifier: 'test_key',
           //cipher: 'AES/CBC/PKCS7Padding',
           accessControlMode: TouchID.ACCESS_CONTROL_TOUCH_ID_ANY
       }),
       win = Ti.UI.createWindow({backgroundColor: 'white', layout: 'vertical'});
       queue = [],
       callback = function(e) {
           if (queue.length) {
               queue.shift().close();
           }
           alert(JSON.stringify(e, null, 2));
       };
   
   keychainItem.addEventListener('save', callback);
   keychainItem.addEventListener('read', callback);
   
   button('SAVE', function() {
       showFingerprint();
       keychainItem.save('test');
   });
   button('READ', function() {
       showFingerprint();
       keychainItem.read();
   });
   
   win.open();
   
   function showFingerprint() {
       if (keychainItem.accessControlMode !== TouchID.ACCESS_CONTROL_TOUCH_ID_ANY) return;
       var win = Ti.UI.createWindow({backgroundColor: 'white'}),
           img = Ti.UI.createImageView({image: 'http://bit.ly/2ur2X4u', width: 64, height: 64});
       queue.push(win);
       win.add(img);
       win.open();
   }
   function button(title, click) {
       var btn = Ti.UI.createButton({title: title, width: Ti.UI.FILL});
       btn.addEventListener('click', click);
       win.add(btn);
   }
  10. Nikita Radaev 2017-07-24

    Hi Gary, Thanks for coming back to us on this issue. Unfortunately, application build process fails with supplied module. Is there a more stable version I can use? N.
  11. Gary Mathews 2017-07-25

    [~nradaev] Updated the pre-release, it should work now.
  12. Nikita Radaev 2017-07-25

    Thank you Gary! It seems to work correctly. I still have a couple things I want to discuss with about this ticket. I propose we take it up via email in order to avoid clutter here. Could you please contact me at nikita.radaev@meridiancu.ca?
  13. Lokesh Choudhary 2017-08-09

    Verified the implementation. Key/value can be saved in the keychain & be retrieved using the fingerprint. Studio Ver: 4.9.1.201707200100 SDK Ver: 6.1.2.GA OS Ver: 10.12.3 Xcode Ver: Xcode 8.3.3 Appc NPM: 4.2.9 Appc CLI: 6.2.3 Ti CLI Ver: 5.0.14 Alloy Ver: 1.9.13 Node Ver: 6.10.1 Java Ver: 1.8.0_101 Devices: ⇨ google Pixel --- Android 7.1.1 Touchid module : 2.2.0
  14. Lokesh Choudhary 2017-08-19

    Verified the fix in 6.2.0.v20170818105443. For master the touchid module will have to be recompiled to work with 7.0.0. Leaving this in resolved state as of now.
  15. Ewan Harris 2017-08-25

    PRs to land changes into SDK master: https://github.com/appcelerator/titanium_mobile/pull/9359 6_2_X: https://github.com/appcelerator/titanium_mobile/pull/9360
  16. Lokesh Choudhary 2017-08-29

    Verified the fix with SDK 6.2.0.v20170829152447 & 7.0.0.v20170829152646. For 7.0.0.v20170829152646 the touchID module is not selectable in the tiapp.xml and needs to be recompiled to work with it. Closing. Studio Ver: 4.9.1.201707200100 OS Ver: 10.12.3 Xcode Ver: Xcode 8.3.3 Appc NPM: 4.2.9 Appc CLI: 6.2.3 Ti CLI Ver: 5.0.14 Alloy Ver: 1.9.13 Node Ver: 6.10.1 Java Ver: 1.8.0_101 Devices: ⇨ google Nexus 5 --- Android 6.0.1 ⇨ google Pixel --- Android 7.1.1

JSON Source