/secure_biometric_storage

Flutter plugin to securely store data behind biometric authentication (ie. fingerprint)

Primary LanguageKotlinOtherNOASSERTION

secure_biometric_storage

pub package

Fork of biometric_storage with focus on security

Encrypted file store, optionally secured by a biometric lock for Android and iOS.

Meant as a way to store small data in a hardware encrypted fashion. E.g. to store passwords, secret keys, etc. but not massive amounts of data.

Uses similar encryption mechanism as in flutter_secure_storage

  • Android: Uses androidx with KeyStore.
  • iOS: LocalAuthentication with KeyChain.

Security Enhancements:

  • On both Android and iOS keys are invalidated if new fingerprint/face are added.
  • Auth-per-use keys are used for storages secured by a biometric lock.
  • BIOMETRIC_STRONG used on Android.

An auth-per-use key requires the user to present a biometric credential each time your app needs to access data that's guarded by that key. Auth-per-use keys can be useful for high-value transactions, such as making a large payment or updating a person's health records.

Getting Started

Android

  • Requirements:
    • Android: API Level >= 23

    • MainActivity must extend FlutterFragmentActivity

    • Theme for the main activity must use Theme.AppCompat theme. (Otherwise there will be crashes on Android < 29) For example:

      AndroidManifest.xml:

      <activity
      android:name=".MainActivity"
      android:launchMode="singleTop"
      android:theme="@style/LaunchTheme"

      xml/styles.xml:

          <style name="LaunchTheme" parent="Theme.AppCompat.NoActionBar">
          <!-- Show a splash screen on the activity. Automatically removed when
               Flutter draws its first frame -->
          <item name="android:windowBackground">@drawable/launch_background</item>
      
          <item name="android:windowNoTitle">true</item>
          <item name="android:windowActionBar">false</item>
          <item name="android:windowFullscreen">true</item>
          <item name="android:windowContentOverlay">@null</item>
      </style>

iOS

https://developer.apple.com/documentation/localauthentication/logging_a_user_into_your_app_with_face_id_or_touch_id

  • include the NSFaceIDUsageDescription key in your app’s Info.plist file
  • Requires at least iOS 9

Resources