Security News
Combatting Alert Fatigue by Prioritizing Malicious Intent
In 2023, data breaches surged 78% from zero-day and supply chain attacks, but developers are still buried under alerts that are unable to prevent these threats.
react-native-biometrics
Advanced tools
React Native biometric functionality for signing and encryption
React native biometrics is a simple bridge to native iOS and Android keystore management. It allows you to create public private key pairs that are stored in native keystores and protected by biometric authentication. Those keys can then be retrieved later, after proper authentication, and used to create a cryptographic signature.
$ npm install react-native-biometrics --save
$ react-native link react-native-biometrics
Libraries
➜ Add Files to [your project's name]
node_modules
➜ react-native-biometrics
and add ReactNativeBiometrics.xcodeproj
libReactNativeBiometrics.a
to your project's Build Phases
➜ Link Binary With Libraries
android/app/src/main/java/[...]/MainApplication.java
import com.rnbiometrics.ReactNativeBiometricsPackage;
to the imports at the top of the filenew ReactNativeBiometricsPackage()
to the list returned by the getPackages()
methodandroid/settings.gradle
:
include ':react-native-biometrics'
project(':react-native-biometrics').projectDir = new File(rootProject.projectDir, '../node_modules/react-native-biometrics/android')
android/app/build.gradle
:
compile project(':react-native-biometrics')
This package requires an iOS target SDK verion of iOS 10 or higher
Ensure that you have the NSFaceIDUsageDescription
entry set in your react native iOS project, or Face ID will not work properly. This description will be will be presented to the user the first time a biometrics action is taken, and the user will be asked if they want to allow the app to use Face ID. If the user declines the usage of face id for the app, the isSensorAvailable
function will return null
until the face id permission is specifically allowed for the app by the user.
This package requires a compiled SDK version of 23 (Android 6.0 Marshmallow) or higher
This package is designed to make server authentication using biometrics easier. Here is an image from https://android-developers.googleblog.com/2015/10/new-in-android-samples-authenticating.html illustrating the basic use case:
When a user enrolls in biometrics, a key pair is generated. The private key is stored securely on the device and the public key is sent to a server for registration. When the user wishes to authenticate, the user is prompted for biometrics, which unlocks the securely stored private key. Then a cryptographic signature is generated and sent to the server for verification. The server then verifies the signature. If the verification was successful, the server returns an appropriate response and authorizes the user.
A constant for the touch id sensor type, evaluates to 'TouchID'
Example
import Biometrics from 'react-native-biometrics'
if (biometryType === Biometrics.TouchID) {
//do something fingerprint specific
}
A constant for the face id sensor type, evaluates to 'FaceID'
Example
import Biometrics from 'react-native-biometrics'
if (biometryType === Biometrics.FaceID) {
//do something face id specific
}
Detects what type of biometric sensor is available. Returns a Promise
that resolves to a string representing the sensor type (TouchID
, FaceID
, null
)
Example
import Biometrics from 'react-native-biometrics'
Biometrics.isSensorAvailable()
.then((biometryType) => {
if (biometryType === Biometrics.TouchID) {
console.log('TouchID is supported')
} else if (biometryType === Biometrics.FaceID) {
console.log('FaceID is supported')
} else {
console.log('Biometrics not supported')
}
})
Prompts the user for their fingerprint or face id, then generates a public private RSA 2048 key pair that will be stored in the device keystore. Returns a Promise
that resolves to a base64 encoded string representing the public key.
Arguments
promptMessage
- optional string that will be displayed in the fingerprint or face id prompt, if no prompt message is provided, no prompt will be displayed.Example
import Biometrics from 'react-native-biometrics'
Biometrics.createKeys('Confirm fingerprint')
.then((publicKey) => {
console.log(publicKey)
sendPublicKeyToServer(publicKey)
})
Deletes the generated keys from the device keystore. Returns a Promise
that resolves to true
or false
indicating if the deletion was successful
Example
import Biometrics from 'react-native-biometrics'
Biometrics.deleteKeys()
.then((success) => {
if (success) {
console.log('Successful deletion')
} else {
console.log('Unsuccessful deletion')
}
})
Prompts the user for their fingerprint or face id in order to retrieve the private key from the keystore, then uses the private key to generate a RSA PKCS#1v1.5 SHA 256 signature. Returns a Promise
that resolves to a base64 encoded string representing the signature.
NOTE: No biometric prompt is displayed in iOS simulators when attempting to retrieve keys for signature generation, it only occurs on actual devices.
Arguments
promptMessage
- string that will be displayed in the fingerprint or face id promptpayload
- string of data to be signed by the RSA signatureExample
import Biometrics from 'react-native-biometrics'
let epochTimeSeconds = Math.round((new Date()).getTime() / 1000).toString()
let payload = epochTimeSeconds + 'some message'
Biometrics.createSignature('Sign in', payload)
.then((signature) => {
console.log(signature)
verifySignatureWithServer(signature, payload)
})
Prompts the user for their fingerprint or face id. Returns a Promise
that resolves if the user provides a valid fingerprint or face id, otherwise the promise rejects.
NOTE: This only validates a user's biometrics. This should not be used to log a user in or authenticate with a server, instead use createSignature
. It should only be used to gate certain user actions within an app.
Arguments
promptMessage
- string that will be displayed in the fingerprint or face id promptExample
import Biometrics from 'react-native-biometrics'
Biometrics.simplePrompt('Confirm fingerprint')
.then(() => {
console.log('successful fingerprint provided')
})
.catch(() => {
console.log('fingerprint failed or prompt was cancelled')
})
FAQs
React Native biometric functionality for signing and encryption
The npm package react-native-biometrics receives a total of 51,329 weekly downloads. As such, react-native-biometrics popularity was classified as popular.
We found that react-native-biometrics demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 4 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
In 2023, data breaches surged 78% from zero-day and supply chain attacks, but developers are still buried under alerts that are unable to prevent these threats.
Security News
Solo open source maintainers face burnout and security challenges, with 60% unpaid and 60% considering quitting.
Security News
License exceptions modify the terms of open source licenses, impacting how software can be used, modified, and distributed. Developers should be aware of the legal implications of these exceptions.