Full Question : What happens to the encrypted app-specific data when enrolled (one) fingerprint is deleted from device and the associated cryptographic key (app-specific) stored in TEE gets permanently invalidated?
I am not an Android developer, so I do not have much coding knowledge. I was going through the working of Android Cryptography, especially the Local Authentication mechanism and have understood it this way:
In short: Following information from OWASP Mobile Security Testing Guide:
- An app can use user's fingerprint to unlock itself (after a set period of inactivity).
- This authentication mechanism should be supported by Cryptography to prove itself strong/secure.
- We need to create a crypto Key which should be set with a property - setUserAuthenticationRequired(true), for it to be used only after fingerprint or device PIN verification.
- This key could be used to sign/encrypt-decrypt the app-specific data, thereby making the whole process implement a cryptographic primitive.
The trouble in my head is with the following from Android documentation:
This only occurs for keys which are authorized to be used only if the user has been authenticated. Such keys are permanently and irreversibly invalidated once the secure lock screen is disabled (i.e., reconfigured to None, Swipe or other mode which does not authenticate the user) or when the secure lock screen is forcibly reset (e.g., by Device Admin). Additionally, keys configured to require user authentication to take place for every of the keys, are also permanently invalidated once a new fingerprint is enrolled or once no more fingerprints are enrolled.
The question is, if my device has a fingerprint enrolled and my app has set fingerprint authentication, in that case, a key would then be created and used to perform the crypto operations (say encrypt-decrypt). This encrypted data would then be stored in the app's local storage. In a case, where-in the user deletes his fingerprint from the device, as per the Android documentation, the key would get invalidated. In such a case, how would my app's encrypted data get decrypted for further usuage?? Because you need the same key to decrypt the data, which is now irreversibly invalided.
I am aware of the fallback mechanism, wherein if the fingerprint is not found, Android falls back to the PIN or Pattern device authentication. But this would again not create a new key, isn’t it? Or provide access to the same old key used by fingerprint auth (as it is invalidated).
So, what happens to the App's data? Does it get deleted? Does user has to start afresh, setting up the account and preferences?
