I am looking forward to verifying if the authentication result (fingerprint match success or failure) is genuinely from security zone and bottom fingerprint daemon when it is passed back to user domain. From below document, I think auth token is used in the flow however, cannot find the implementation. Could anyone point out if any info ?
I am looking at the document here: https://source.android.com/security/authentication
It described auth flow and divided into 4 steps. Auth Token
got mentioned in the flow:
If authentication in the
TEE is successful, Fingerprint in the TEE sends an AuthToken
(signed with the AuthToken HMAC key) to its counterpart in the Android OS.
The daemon receives a
signed AuthToken and passes it to the keystore service through an
extension to the keystore service's Binder interface. (Step 3)
service passes the AuthTokens to Keymaster and verifies them using
the key shared with the Gatekeeper and supported biometric TEE component. Keymaster trusts the
timestamp in the token as the last authentication time and bases a key
release decision (to allow an app to use the key) on the timestamp (Step
As Step 4 green portion highlights, AuthToken should be verified in key store.
But when I look into android sources, I found AuthToken is added to key store in AuthenticationClient.onAuthenticated, but no further verification is explicily executed.