Looking for new flutter package and exposing the SDK cryptographic/access primitive to Dart for secure usage

[VenkataMannem]

Is there an existing issue for this?

• I have searched the existing issues
• I have read the guide to filing a bug

Use case

Hi Flutter Community / @stuartmorgan,

We are looking for new flutter package that can match with the below requirement which is provided by Alaeddine Mesbahi who is from Ostorlab Team helping us to fix the Vulnerabilities in our application.

Issue:
#128722

Dev Recommendation:
Strong
As a Mobile Application developer, I am agreeing to the below use case that is very important for the mobile application to implement Biometric Authentication.

Use case:

Both the Biometric API on Android (BiometricPrompt.CryptoObject)[1] and iOS (kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly)[2] exposes APIs to secure data relying on cryptographic primitives that are either generated or unlocked using the Biometric authentication.

local_auth does not expose those. The fact that these APIs are part of the native SDK should naturally be reflected in its Flutter counterpart.

local_auth without it is insecure for use and Biometric authentication with it is always bypassable [3]. The risks addressed with Biometric Authentication are not mitigated as nothing links them to the Biometric data of the user.

[1] https://developer.android.com/reference/android/hardware/biometrics/BiometricPrompt.CryptoObject
[2] https://developer.apple.com/documentation/localauthentication/accessing_keychain_items_with_face_id_or_touch_id
[3] https://book.hacktricks.xyz/mobile-pentesting/android-app-pentesting/bypass-biometric-authentication-android

Proposal

To Summarize, Due to most of the application are using Biometric login implementation into the seem less login. I hope the Flutter team would reconsider adding these to the package and exposing the SDK cryptographic/access primitive to Dart for secure usage.

[darshankawar]

Thanks for the report @VenkataMannem
Can you take a look at this package and see if it helps in addressing your use case ?

[stuartmorgan-g]

This request doesn't actually describe a use case, it describes a proposed solution (exposing primitives) without explaining what exactly it's a solution to.

What, concretely, do you want to be able to do?

[3asm]

The package https://pub.dev/packages/biometric_storage does support the functionalities described by @VenkataMannem and properly uses the native API crypto primitives.

[f-person]

What, concretely, do you want to be able to do?

One of the primary use cases is using biometric authentication to store/retrieve encrypted data. Probably, some keys to then decrypt the whole app database. While using local_auth to prevent access to an application is a valid use case, I believe many apps would still benefit from the ability to use biometrics to safely store data (mostly encryption keys), too.

The biometric_storage package does exactly that and goes a little beyond biometric auth.

I'm not sure whether adding such capabilities to local_auth would make sense, but it would be nice to have the official package cover this use case, too. :)

[stuartmorgan-g]

One of the primary use cases is using biometric authentication to store/retrieve encrypted data.

That is a use case that a plugin could be built for, but I don't know if it's the use case the original reporter had in mind. Without additional information from the reporter of the issue, this will be closed since it's not actionable as filed.

The biometric_storage package does exactly that and goes a little beyond biometric auth.

I'm not sure whether adding such capabilities to local_auth would make sense, but it would be nice to have the official package cover this use case, too. :)

If you have a specific feature request about secure storage, please file a new issue for discussion.

[github-actions]

Without additional information, we are unfortunately not sure how to resolve this issue. We are therefore reluctantly going to close this bug for now.
If you find this problem please file a new issue with the same description, what happens, logs and the output of 'flutter doctor -v'. All system setups can be slightly different so it's always better to open new issues and reference the related ones.
Thanks for your contribution.

[github-actions]

This thread has been automatically locked since there has not been any recent activity after it was closed. If you are still experiencing a similar issue, please open a new bug, including the output of flutter doctor -v and a minimal reproduction of the issue.