npm - @capgo/capacitor-native-biometric - Versions diffs - 5.0.0 → 5.1.0 - Mend

@capgo/capacitor-native-biometric 5.0.0 → 5.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (60) hide show

package/LICENSE CHANGED Viewed

@@ -1,6 +1,6 @@
 MIT License
-Copyright (c) Ariel Hernandez Musa.
+Copyright (c) Martin Donadieu.
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
@@ -18,4 +18,4 @@ FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
 AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.
+SOFTWARE.

package/{readme.md → README.md} RENAMED Viewed

@@ -2,16 +2,16 @@
 Use biometrics confirm device owner presence or authenticate users. A couple of methods are provided to handle user credentials. These are securely stored using Keychain (iOS) and Keystore (Android).
-## Installation (Only supports Capacitor 3 and 4)
+## Installation (Only supports Capacitor 5)
-- `npm i capacitor-native-biometric`
+- `npm i @capgo/capacitor-native-biometric`
 ## Usage
 ```ts
-import { NativeBiometric } from "capacitor-native-biometric";
+import { NativeBiometric, BiometryType } from "@capgo/capacitor-native-biometric";
-async performBiometricVerificatin(){
+async performBiometricVerification(){
   const result = await NativeBiometric.isAvailable();
   if(!result.isAvailable) return;
@@ -46,6 +46,27 @@ NativeBiometric.deleteCredentials({
   server: "www.example.com",
 }).then();
 ```
+### Biometric Auth Errors
+This is a plugin specific list of error codes that can be thrown on verifyIdentity failure, or set as a part of isAvailable. It consolidates Android and iOS specific Authentication Error codes into one combined error list.
+| Code | Description                 | Platform                     |
+| ---- | --------------------------- | ---------------------------- |
+| 0    | Unknown Error               | Android, iOS                 |
+| 1    | Biometrics Unavailable      | Android, iOS                 |
+| 2    | User Lockout                | Android, iOS                 |
+| 3    | Biometrics Not Enrolled     | Android, iOS                 |
+| 4    | User Temporary Lockout      | Android (Lockout for 30sec)  |
+| 10   | Authentication Failed       | Android, iOS                 |
+| 11   | App Cancel                  | iOS                          |
+| 12   | Invalid Context             | iOS                          |
+| 13   | Not Interactive             | iOS                          |
+| 14   | Passcode Not Set            | Android, iOS                 |
+| 15   | System Cancel               | Android, iOS                 |
+| 16   | User Cancel                 | Android, iOS                 |
+| 17   | User Fallback               | Android, iOS                 |
 <docgen-index>
 * [`isAvailable(...)`](#isavailable)
@@ -64,7 +85,7 @@ NativeBiometric.deleteCredentials({
 ### isAvailable(...)
 ```typescript
-isAvailable(options?: IsAvailableOptions) => any
+isAvailable(options?: IsAvailableOptions | undefined) => any
 ```
 Checks if biometric authentication hardware is available.
@@ -83,7 +104,7 @@ Checks if biometric authentication hardware is available.
 ### verifyIdentity(...)
 ```typescript
-verifyIdentity(options?: BiometricOptions) => any
+verifyIdentity(options?: BiometricOptions | undefined) => any
 ```
 Prompts the user to authenticate with biometrics.
@@ -177,15 +198,16 @@ Deletes the stored credentials for a given server.
 #### BiometricOptions
-| Prop                     | Type                 | Description                                                                                                           | Default        |
-| ------------------------ | -------------------- | --------------------------------------------------------------------------------------------------------------------- | -------------- |
-| **`reason`**             | <code>string</code>  |                                                                                                                       |                |
-| **`title`**              | <code>string</code>  |                                                                                                                       |                |
-| **`subtitle`**           | <code>string</code>  |                                                                                                                       |                |
-| **`description`**        | <code>string</code>  |                                                                                                                       |                |
-| **`negativeButtonText`** | <code>string</code>  |                                                                                                                       |                |
-| **`useFallback`**        | <code>boolean</code> |                                                                                                                       |                |
-| **`maxAttempts`**        | <code>number</code>  | Only for Android. Set a maximum number of attempts for biometric authentication. The maximum allowed by android is 5. | <code>1</code> |
+| Prop                     | Type                 | Description                                                                                                                                                | Default        |
+| ------------------------ | -------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------- |
+| **`reason`**             | <code>string</code>  |                                                                                                                                                            |                |
+| **`title`**              | <code>string</code>  |                                                                                                                                                            |                |
+| **`subtitle`**           | <code>string</code>  |                                                                                                                                                            |                |
+| **`description`**        | <code>string</code>  |                                                                                                                                                            |                |
+| **`negativeButtonText`** | <code>string</code>  |                                                                                                                                                            |                |
+| **`useFallback`**        | <code>boolean</code> | Specifies if should fallback to passcode authentication if biometric authentication fails.                                                                 |                |
+| **`fallbackTitle`**      | <code>string</code>  | Only for iOS. Set the text for the fallback button in the authentication dialog. If this property is not specified, the default text is set by the system. |                |
+| **`maxAttempts`**        | <code>number</code>  | Only for Android. Set a maximum number of attempts for biometric authentication. The maximum allowed by android is 5.                                      | <code>1</code> |
 #### GetCredentialOptions
@@ -224,15 +246,15 @@ Deletes the stored credentials for a given server.
 #### BiometryType
-| Members                   |
-| ------------------------- |
-| **`NONE`**                |
-| **`TOUCH_ID`**            |
-| **`FACE_ID`**             |
-| **`FINGERPRINT`**         |
-| **`FACE_AUTHENTICATION`** |
-| **`IRIS_AUTHENTICATION`** |
-| **`MULTIPLE`**            |
+| Members                   | Value          |
+| ------------------------- | -------------- |
+| **`NONE`**                | <code>0</code> |
+| **`TOUCH_ID`**            | <code>1</code> |
+| **`FACE_ID`**             | <code>2</code> |
+| **`FINGERPRINT`**         | <code>3</code> |
+| **`FACE_AUTHENTICATION`** | <code>4</code> |
+| **`IRIS_AUTHENTICATION`** | <code>5</code> |
+| **`MULTIPLE`**            | <code>6</code> |
 </docgen-api>
 ## Face ID (iOS)
@@ -278,6 +300,11 @@ public class MainActivity extends BridgeActivity {
 [Jonthia](https://github.com/jonthia)
 [One Click Web Studio](https://github.com/oneclickwebstudio)
+[Brian Weasner](https://github.com/brian-weasner)
+[Mohamed Diarra](https://github.com/mohdiarra)
+### Want to Contribute?
+Learn about contributing [HERE](./CONTRIBUTING.md)
 ## Notes

package/android/gradlew CHANGED Viewed

@@ -85,9 +85,6 @@ done
 APP_BASE_NAME=${0##*/}
 APP_HOME=$( cd "${APP_HOME:-./}" && pwd -P ) || exit
-# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script.
-DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"'
 # Use the maximum available, or set MAX_FD != -1 to use that value.
 MAX_FD=maximum
@@ -133,10 +130,13 @@ location of your Java installation."
     fi
 else
     JAVACMD=java
-    which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH.
+    if ! command -v java >/dev/null 2>&1
+    then
+        die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH.
 Please set the JAVA_HOME variable in your environment to match the
 location of your Java installation."
+    fi
 fi
 # Increase the maximum file descriptors if we can.
@@ -197,6 +197,10 @@ if "$cygwin" || "$msys" ; then
     done
 fi
+# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script.
+DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"'
 # Collect all arguments for the java command;
 #   * $DEFAULT_JVM_OPTS, $JAVA_OPTS, and $GRADLE_OPTS can contain fragments of
 #     shell script including quotes and variable substitutions, so put them in

package/android/src/main/java/ee/forgr/biometric/AuthActivity.java CHANGED Viewed

@@ -9,10 +9,11 @@ import android.view.View;
 import androidx.annotation.NonNull;
 import androidx.appcompat.app.AppCompatActivity;
 import androidx.appcompat.widget.Toolbar;
+import androidx.biometric.BiometricConstants;
 import androidx.biometric.BiometricPrompt;
-import ee.forgr.biometric.capacitornativebiometric.R;
 import com.google.android.material.floatingactionbutton.FloatingActionButton;
 import com.google.android.material.snackbar.Snackbar;
+import ee.forgr.biometric.capacitornativebiometric.R;
 import java.util.concurrent.Executor;
 public class AuthActivity extends AppCompatActivity {
@@ -40,29 +41,31 @@ public class AuthActivity extends AppCompatActivity {
         };
     }
-    BiometricPrompt.PromptInfo.Builder builder =
-      new BiometricPrompt.PromptInfo.Builder()
-        .setTitle(
-          getIntent().hasExtra("title")
-            ? getIntent().getStringExtra("title")
-            : "Authenticate"
-        )
-        .setSubtitle(
-          getIntent().hasExtra("subtitle")
-            ? getIntent().getStringExtra("subtitle")
-            : null
-        )
-        .setDescription(
-          getIntent().hasExtra("description")
-            ? getIntent().getStringExtra("description")
-            : null
-        );
+    BiometricPrompt.PromptInfo.Builder builder = new BiometricPrompt.PromptInfo.Builder()
+      .setTitle(
+        getIntent().hasExtra("title")
+          ? getIntent().getStringExtra("title")
+          : "Authenticate"
+      )
+      .setSubtitle(
+        getIntent().hasExtra("subtitle")
+          ? getIntent().getStringExtra("subtitle")
+          : null
+      )
+      .setDescription(
+        getIntent().hasExtra("description")
+          ? getIntent().getStringExtra("description")
+          : null
+      );
     boolean useFallback = getIntent().getBooleanExtra("useFallback", false);
     if (useFallback) {
+      // TODO: Deprecated function, probably want to migrate to `setAllowedAuthenticators`
       builder.setDeviceCredentialAllowed(true);
     } else {
+      // Note that this option is incompatible with device credential authentication and must NOT be set if the latter is enabled via `setAllowedAuthenticators` or `setDeviceCredentialAllowed`.
+      // @see https://developer.android.com/reference/androidx/biometric/BiometricPrompt.PromptInfo.Builder#setNegativeButtonText(java.lang.CharSequence)
       builder.setNegativeButtonText(
         getIntent().hasExtra("negativeButtonText")
           ? getIntent().getStringExtra("negativeButtonText")
@@ -82,8 +85,10 @@ public class AuthActivity extends AppCompatActivity {
           @NonNull CharSequence errString
         ) {
           super.onAuthenticationError(errorCode, errString);
-          finishActivity(errString.toString(), errorCode);
+          int pluginErrorCode = AuthActivity.convertToPluginErrorCode(
+            errorCode
+          );
+          finishActivity("error", pluginErrorCode, errString.toString());
         }
         @Override
@@ -91,14 +96,18 @@ public class AuthActivity extends AppCompatActivity {
           @NonNull BiometricPrompt.AuthenticationResult result
         ) {
           super.onAuthenticationSucceeded(result);
-          finishActivity("success", 0);
+          finishActivity("success");
         }
         @Override
         public void onAuthenticationFailed() {
           super.onAuthenticationFailed();
           counter++;
-          if (counter == maxAttempts) finishActivity("failed");
+          if (counter == maxAttempts) finishActivity(
+            "failed",
+            10,
+            "Authentication failed."
+          );
         }
       }
     );
@@ -107,23 +116,52 @@ public class AuthActivity extends AppCompatActivity {
   }
   void finishActivity(String result) {
-    Intent intent = new Intent();
-    intent.putExtra("result", "failed");
-    intent.putExtra("errorDetails", "Authentication failed.");
-    setResult(RESULT_OK, intent);
-    finish();
+    finishActivity(result, null, null);
   }
-  void finishActivity(String result, int errorCode) {
+  void finishActivity(String result, Integer errorCode, String errorDetails) {
     Intent intent = new Intent();
-    if (errorCode != 0) {
-      intent.putExtra("result", "error");
-      intent.putExtra("errorDetails", result);
+    intent.putExtra("result", result);
+    if (errorCode != null) {
       intent.putExtra("errorCode", String.valueOf(errorCode));
-    } else {
-      intent.putExtra("result", result);
+    }
+    if (errorDetails != null) {
+      intent.putExtra("errorDetails", errorDetails);
     }
     setResult(RESULT_OK, intent);
     finish();
   }
+  /**
+   * Convert Auth Error Codes to plugin expected Biometric Auth Errors (in README.md)
+   * This way both iOS and Android return the same error codes for the same authentication failure reasons.
+   * !!IMPORTANT!!: Whenever this is modified, check if similar function in iOS Plugin.swift needs to be modified as well
+   * @see https://developer.android.com/reference/androidx/biometric/BiometricPrompt#constants
+   * @return BiometricAuthError
+   */
+  public static int convertToPluginErrorCode(int errorCode) {
+    switch (errorCode) {
+      case BiometricConstants.ERROR_HW_UNAVAILABLE:
+      case BiometricConstants.ERROR_HW_NOT_PRESENT:
+        return 1;
+      case BiometricConstants.ERROR_LOCKOUT_PERMANENT:
+        return 2;
+      case BiometricConstants.ERROR_NO_BIOMETRICS:
+        return 3;
+      case BiometricConstants.ERROR_LOCKOUT:
+        return 4;
+      // Authentication Failure (10) Handled by `onAuthenticationFailed`.
+      // App Cancel (11), Invalid Context (12), and Not Interactive (13) are not valid error codes for Android.
+      case BiometricConstants.ERROR_NO_DEVICE_CREDENTIAL:
+        return 14;
+      case BiometricConstants.ERROR_TIMEOUT:
+      case BiometricConstants.ERROR_CANCELED:
+        return 15;
+      case BiometricConstants.ERROR_USER_CANCELED:
+      case BiometricConstants.ERROR_NEGATIVE_BUTTON:
+        return 16;
+      default:
+        return 0;
+    }
+  }
 }

package/android/src/main/java/ee/forgr/biometric/NativeBiometric.java CHANGED Viewed

@@ -1,5 +1,6 @@
 package ee.forgr.biometric;
+import android.annotation.SuppressLint;
 import android.app.Activity;
 import android.app.KeyguardManager;
 import android.content.Context;
@@ -10,8 +11,10 @@ import android.os.Build;
 import android.security.KeyPairGeneratorSpec;
 import android.security.keystore.KeyGenParameterSpec;
 import android.security.keystore.KeyProperties;
+import android.security.keystore.StrongBoxUnavailableException;
 import android.util.Base64;
 import androidx.activity.result.ActivityResult;
+import androidx.biometric.BiometricConstants;
 import androidx.biometric.BiometricManager;
 import com.getcapacitor.JSObject;
 import com.getcapacitor.Plugin;
@@ -46,7 +49,6 @@ import javax.crypto.spec.SecretKeySpec;
 @CapacitorPlugin(name = "NativeBiometric")
 public class NativeBiometric extends Plugin {
-  private BiometricManager biometricManager;
   //protected final static int AUTH_CODE = 0102;
   private static final int NONE = 0;
@@ -111,17 +113,33 @@ public class NativeBiometric extends Plugin {
   public void isAvailable(PluginCall call) {
     JSObject ret = new JSObject();
-    biometricManager = BiometricManager.from(getContext());
+    boolean useFallback = Boolean.TRUE.equals(
+      call.getBoolean("useFallback", false)
+    );
+    BiometricManager biometricManager = BiometricManager.from(getContext());
     int canAuthenticateResult = biometricManager.canAuthenticate();
+    // Using deviceHasCredentials instead of canAuthenticate(DEVICE_CREDENTIAL)
+    // > "Developers that wish to check for the presence of a PIN, pattern, or password on these versions should instead use isDeviceSecure."
+    // @see https://developer.android.com/reference/androidx/biometric/BiometricManager#canAuthenticate(int)
+    boolean fallbackAvailable = useFallback && this.deviceHasCredentials();
+    if (useFallback && !fallbackAvailable) {
+      canAuthenticateResult = BiometricConstants.ERROR_NO_DEVICE_CREDENTIAL;
+    }
+    boolean isAvailable =
+      (
+        canAuthenticateResult == BiometricManager.BIOMETRIC_SUCCESS ||
+        fallbackAvailable
+      );
+    ret.put("isAvailable", isAvailable);
-    switch (canAuthenticateResult) {
-      case BiometricManager.BIOMETRIC_SUCCESS:
-        ret.put("isAvailable", true);
-        break;
-      default:
-        ret.put("isAvailable", false);
-        ret.put("errorCode", canAuthenticateResult);
-        break;
+    if (!isAvailable) {
+      // BiometricManager Error Constants use the same values as BiometricPrompt's Constants. So we can reuse our
+      int pluginErrorCode = AuthActivity.convertToPluginErrorCode(
+        canAuthenticateResult
+      );
+      ret.put("errorCode", pluginErrorCode);
     }
     ret.put("biometryType", getAvailableFeature());
@@ -134,32 +152,30 @@ public class NativeBiometric extends Plugin {
     intent.putExtra("title", call.getString("title", "Authenticate"));
-    if (call.hasOption("subtitle")) intent.putExtra(
-      "subtitle",
-      call.getString("subtitle")
-    );
-    if (call.hasOption("description")) intent.putExtra(
-      "description",
-      call.getString("description")
-    );
+    if (call.hasOption("subtitle")) {
+      intent.putExtra("subtitle", call.getString("subtitle"));
+    }
-    if (call.hasOption("negativeButtonText")) intent.putExtra(
-      "negativeButtonText",
-      call.getString("negativeButtonText")
-    );
+    if (call.hasOption("description")) {
+      intent.putExtra("description", call.getString("description"));
+    }
-    if (call.hasOption("maxAttempts")) intent.putExtra(
-      "maxAttempts",
-      call.getInt("maxAttempts")
-    );
+    if (call.hasOption("negativeButtonText")) {
+      intent.putExtra(
+        "negativeButtonText",
+        call.getString("negativeButtonText")
+      );
+    }
-    boolean useFallback = call.getBoolean("useFallback", false);
+    if (call.hasOption("maxAttempts")) {
+      intent.putExtra("maxAttempts", call.getInt("maxAttempts"));
+    }
-    if (useFallback && Build.VERSION.SDK_INT >= Build.VERSION_CODES.M) {
-      KeyguardManager keyguardManager = (KeyguardManager) getActivity()
-        .getSystemService(Context.KEYGUARD_SERVICE);
-      useFallback = keyguardManager.isDeviceSecure();
+    boolean useFallback = Boolean.TRUE.equals(
+      call.getBoolean("useFallback", false)
+    );
+    if (useFallback) {
+      useFallback = this.deviceHasCredentials();
     }
     intent.putExtra("useFallback", useFallback);
@@ -181,14 +197,17 @@ public class NativeBiometric extends Plugin {
             Context.MODE_PRIVATE
           )
           .edit();
-        editor.putString("username", encryptString(username, KEY_ALIAS));
-        editor.putString("password", encryptString(password, KEY_ALIAS));
+        editor.putString(
+          KEY_ALIAS + "-username",
+          encryptString(username, KEY_ALIAS)
+        );
+        editor.putString(
+          KEY_ALIAS + "-password",
+          encryptString(password, KEY_ALIAS)
+        );
         editor.apply();
         call.resolve();
-      } catch (GeneralSecurityException e) {
-        call.reject("Failed to save credentials", e);
-        e.printStackTrace();
-      } catch (IOException e) {
+      } catch (GeneralSecurityException | IOException e) {
         call.reject("Failed to save credentials", e);
         e.printStackTrace();
       }
@@ -206,8 +225,14 @@ public class NativeBiometric extends Plugin {
         NATIVE_BIOMETRIC_SHARED_PREFERENCES,
         Context.MODE_PRIVATE
       );
-    String username = sharedPreferences.getString("username", null);
-    String password = sharedPreferences.getString("password", null);
+    String username = sharedPreferences.getString(
+      KEY_ALIAS + "-username",
+      null
+    );
+    String password = sharedPreferences.getString(
+      KEY_ALIAS + "-password",
+      null
+    );
     if (KEY_ALIAS != null) {
       if (username != null && password != null) {
         try {
@@ -215,10 +240,10 @@ public class NativeBiometric extends Plugin {
           jsObject.put("username", decryptString(username, KEY_ALIAS));
           jsObject.put("password", decryptString(password, KEY_ALIAS));
           call.resolve(jsObject);
-        } catch (GeneralSecurityException e) {
-          call.reject("Failed to get credentials", e);
-        } catch (IOException e) {
-          call.reject("Failed to get credentials", e);
+        } catch (GeneralSecurityException | IOException e) {
+          // Can get here if not authenticated.
+          String errorMessage = "Failed to get credentials";
+          call.reject(errorMessage);
         }
       } else {
         call.reject("No credentials found");
@@ -232,22 +257,21 @@ public class NativeBiometric extends Plugin {
   private void verifyResult(PluginCall call, ActivityResult result) {
     if (result.getResultCode() == Activity.RESULT_OK) {
       Intent data = result.getData();
-      if (data.hasExtra("result")) {
+      if (data != null && data.hasExtra("result")) {
         switch (data.getStringExtra("result")) {
           case "success":
             call.resolve();
             break;
           case "failed":
+          case "error":
             call.reject(
               data.getStringExtra("errorDetails"),
               data.getStringExtra("errorCode")
             );
             break;
           default:
-            call.reject(
-              "Verification error: " + data.getStringExtra("result"),
-              data.getStringExtra("errorCode")
-            );
+            // Should not get to here unless AuthActivity starts returning different Activity Results.
+            call.reject("Something went wrong.");
             break;
         }
       }
@@ -272,13 +296,12 @@ public class NativeBiometric extends Plugin {
         editor.clear();
         editor.apply();
         call.resolve();
-      } catch (KeyStoreException e) {
-        call.reject("Failed to delete", e);
-      } catch (CertificateException e) {
-        call.reject("Failed to delete", e);
-      } catch (NoSuchAlgorithmException e) {
-        call.reject("Failed to delete", e);
-      } catch (IOException e) {
+      } catch (
+        KeyStoreException
+        | CertificateException
+        | NoSuchAlgorithmException
+        | IOException e
+      ) {
         call.reject("Failed to delete", e);
       }
     } else {
@@ -324,23 +347,39 @@ public class NativeBiometric extends Plugin {
     return new String(decryptedData, "UTF-8");
   }
+  @SuppressLint("NewAPI") // API level is already checked
   private Key generateKey(String KEY_ALIAS)
     throws GeneralSecurityException, IOException {
+    Key key;
+    try {
+      key = generateKey(KEY_ALIAS, true);
+    } catch (StrongBoxUnavailableException e) {
+      key = generateKey(KEY_ALIAS, false);
+    }
+    return key;
+  }
+  private Key generateKey(String KEY_ALIAS, boolean isStrongBoxBacked)
+    throws GeneralSecurityException, IOException, StrongBoxUnavailableException {
     if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.M) {
       KeyGenerator generator = KeyGenerator.getInstance(
         KeyProperties.KEY_ALGORITHM_AES,
         ANDROID_KEY_STORE
       );
-      generator.init(
-        new KeyGenParameterSpec.Builder(
-          KEY_ALIAS,
-          KeyProperties.PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT
-        )
-          .setBlockModes(KeyProperties.BLOCK_MODE_GCM)
-          .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_NONE)
-          .setRandomizedEncryptionRequired(false)
-          .build()
-      );
+      KeyGenParameterSpec.Builder paramBuilder = new KeyGenParameterSpec.Builder(
+        KEY_ALIAS,
+        KeyProperties.PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT
+      )
+        .setBlockModes(KeyProperties.BLOCK_MODE_GCM)
+        .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_NONE)
+        .setRandomizedEncryptionRequired(false);
+      if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.P) {
+        paramBuilder.setUnlockedDeviceRequired(true);
+        paramBuilder.setIsStrongBoxBacked(isStrongBoxBacked);
+      }
+      generator.init(paramBuilder.build());
       return generator.generateKey();
     } else {
       return getAESKey(KEY_ALIAS);
@@ -349,8 +388,8 @@ public class NativeBiometric extends Plugin {
   private Key getKey(String KEY_ALIAS)
     throws GeneralSecurityException, IOException {
-    KeyStore.SecretKeyEntry secretKeyEntry =
-      (KeyStore.SecretKeyEntry) getKeyStore().getEntry(KEY_ALIAS, null);
+    KeyStore.SecretKeyEntry secretKeyEntry = (KeyStore.SecretKeyEntry) getKeyStore()
+      .getEntry(KEY_ALIAS, null);
     if (secretKeyEntry != null) {
       return secretKeyEntry.getSecretKey();
     }
@@ -359,13 +398,11 @@ public class NativeBiometric extends Plugin {
   private KeyStore getKeyStore()
     throws KeyStoreException, CertificateException, NoSuchAlgorithmException, IOException {
-    if (keyStore != null) {
-      return keyStore;
-    } else {
+    if (keyStore == null) {
       keyStore = KeyStore.getInstance(ANDROID_KEY_STORE);
       keyStore.load(null);
-      return keyStore;
     }
+    return keyStore;
   }
   private Key getAESKey(String KEY_ALIAS)
@@ -392,8 +429,8 @@ public class NativeBiometric extends Plugin {
   private KeyStore.PrivateKeyEntry getPrivateKeyEntry(String KEY_ALIAS)
     throws NoSuchProviderException, NoSuchAlgorithmException, InvalidAlgorithmParameterException, CertificateException, KeyStoreException, IOException, UnrecoverableEntryException {
-    KeyStore.PrivateKeyEntry privateKeyEntry =
-      (KeyStore.PrivateKeyEntry) getKeyStore().getEntry(KEY_ALIAS, null);
+    KeyStore.PrivateKeyEntry privateKeyEntry = (KeyStore.PrivateKeyEntry) getKeyStore()
+      .getEntry(KEY_ALIAS, null);
     if (privateKeyEntry == null) {
       KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance(
@@ -454,4 +491,11 @@ public class NativeBiometric extends Plugin {
     }
     return bytes;
   }
+  private boolean deviceHasCredentials() {
+    KeyguardManager keyguardManager = (KeyguardManager) getActivity()
+      .getSystemService(Context.KEYGUARD_SERVICE);
+    // Can only use fallback if the device has a pin/pattern/password lockscreen.
+    return keyguardManager.isDeviceSecure();
+  }
 }