Salesforce SDK security bug related to biometric

[malaynagarro]

We are facing one issue with the salesforce connected android application

steps are as followed

1:- Launch the application.
2: - Login into the application.
3: - Application ask for set passcode and finger print.
4: - Kill the application and relaunch the application.
5: - Skip the finger print authentication and move the application in background.
6: - Trying launching the application by clicking on the app icon.
7: - App doesn't ask for finger print scan and get into to dashboard screen of the application.
Expected behavior: -after point 6 it should ask for the finger print scan and then navigate user to the dashboard

override fun onCreate(savedInstanceState: Bundle?) {
        window.requestFeature(Window.FEATURE_ACTION_BAR)
        supportActionBar?.hide()
        super.onCreate(savedInstanceState)
        findViewById<Toolbar>(R.id.toolbar)?.run {
            setNavigationIcon(R.drawable.ic_login_back)
            setNavigationOnClickListener {
                backToLauncher()
            }
        }

        webView = findViewById(R.id.sf__oauth_webview)
//      textZoom should be set to 100 to prevent font scale as per system font
        webView.settings.textZoom = 100
        webView.setBackgroundColor(Color.parseColor("#FF025289"))
        webView.setLayerType(WebView.LAYER_TYPE_SOFTWARE, null)
        viewNoInternet = findViewById(R.id.vwNoInternet)
        viewNoInternet.findViewById<Button>(R.id.btnCancel).setOnClickListener {
            backToLauncher()
        }
        updateNoInternetVisibility()
    }

  override fun onResume() {
        super.onResume()
        window.run {
            val isLight = resources.getBoolean(R.bool.isLightMode)
            val barColor =
                ContextCompat.getColor(context, R.color.surface_color)
            WindowInsetsControllerCompat(this, decorView).run {
                isAppearanceLightStatusBars = isLight
                isAppearanceLightNavigationBars = isLight
            }
            statusBarColor = barColor
            navigationBarColor = barColor
        }
    }

Seems like a salesforce SDK security bug looking for the urgent help

the application is working as expected if we try the same pattern of authentication as stated above after 15 min

[brandonpage]

@malaynagarro What version of SDK are you using? I am unable to reproduce this on the latest so I would urge you to upgrade.

[depushpendra]

@brandonpage We are using Salesforce SDK version 11.0.1. I am able to replicate this issue. can we have a quick connect so that we can help you in reproduce this issue?

[malaynagarro]

Hi @brandonpage ,

As suggested, we have upgraded to the latest Salesforce SDK version. However, the issue still persists. Even when we have not respond to the biometric prompt and move the app to the background, the Connected App seems to bypass the biometric check and directly takes us into the application. The expected behavior is that the app should prompt for biometric authentication again before allowing access the whole app.

Could you please suggest the appropriate changes or recommended implementation for the onResume() method to ensure that authentication is enforced consistently when the app is resumed?
override fun onResume() { super.onResume() }

Expecting a early response from you as we are facing a security issue. Thank you in advance

[malaynagarro]

hey @brandonpage

any update on the above query

[malaynagarro]

hey @brandonpage @cromwellryan @mars @wmathurin

I’m writing on the biometric authentication issue we’re encountering with the Salesforce Connected Android application, as previously discussed. We’ve already upgraded to the latest Salesforce SDK as suggested, but the issue still persists.
any updates from your side?

[brandonpage]

@depushpendra @malaynagarro Apologies for the delay and lack of communication, the team has been very busy lately.

This bug went unnoticed because it only affects React Native apps, despite all of the related code being in the native layer. I have fixed the issue with this PR. The fix will be included in Mobile SDK 13.1, which will be out within the next couple weeks. If this somehow does not fix the issue in your app or there are other complications feel free to reopen this issue.