What I'm trying to achieve is a confirmation of transaction (not payment) with a fingerprint sensor. Pretty much like Google does in its Play store:
- Chose a product, click pay
- Approve your choice with a fingerprint scan
What I feel is that Google uses this only on the client side, without any confirmation on the backend that fingerprint was really asked by the app.
In my case, it's required to provide a proof to the backend that the fingerprint was really asked. To do so I:
- Gen key pair
- Enroll a public key to the backend
- Write a private key to the secure key storage and bind it to the fingerprint
so that next time I need a transaction approval I:
- Ask a user to provide a fingerprint, receive a private key
- Sign the transaction with the private key
- Validate tx with the public key on the backend
But here comes two ideas why it may be not secure:
- The client (android/ios) application can be altered to JMP around fingerprint call and don't bind a key to the fingerprint at all.
- Fingerprint & key storage can be emulated e.g. in Android VD
In both cases, the backend will have no idea the fingerprint call was walked around as it's just validating the data by signature.
I'm by no means a mobile platform (security) expert and I'm trying to figure out whether those attacks are really valid/likely to occur and is it somehow possible to protect against them?