Feature Request: biometric prompt to open Magisk app

[thx1200]

Request: provide an option to extend the biometric prompt to opening the Magisk app itself. This is to add a small extra layer of protection when an unlocked phone is handed to somebody else.

[osm0sis]

Yep, SuperSU used to have this, and I continue to miss it. 👍

[Displax]

Old @topjohnwu opinion
#533 (comment)

@THEb0nny you should protect your whole device with a strong lock screen password, have your data encrypted, and disable USB debugging. There is very little an app can do to protect itself since it is an application after all, it does not have the power to enforce any sense of security once your device is unlocked (implies data encryption decrypted) and exposed to others.

All "applock" stuffs are actually false security (although it is possible to block naive attackers e.g. your average Joe friend or your kid). I would consider adding this feature to Magisk Manager but not on my priority.

[osm0sis]

I mean that quote doesn't totally make sense in this context. A launcher "protecting" apps with a biometric prompt is easily circumventable by launching the app directly from Android Settings > Apps, yes, but a sensitive app itself keeping itself protected by a biometric prompt is obviously an improvement over one which does not, and is not easily circumventable, why else would Magisk use biometrics for granting root to apps?

[Displax]

I mean that quote doesn't totally make sense in this context. A launcher "protecting" apps with a biometric prompt is easily circumventable by launching the app directly from Android Settings > App, yes, but an app itself keeping itself protected by a biometric prompt is obviously an improvement over one which does not, and is not easily circumventable, why else would Magisk use biometrics for granting root to apps?

Completely agree

[thx1200]

Agree and disagree. App level locking can add layer of security, but yes it is not to be relied on solely, even when it's an included system component like in OxygenOS. It does have its place, particularly if the settings / launcher / install intents are protected as part of it. It's definitely not a hacker proof method, but it doesn't need to be if you also have device-level security enabled. It is mostly useful as a barrier to casual user who might be borrowing your phone.

But all that is outside the scope of this request. The root manager app itself is a special case and is a critical system-level component that should allow a required authentication prompt, similar to how you have to do when you enter the security settings in Android even if your screen/device is already unlocked.

[vvb2060]

When you grant root access to the file manager, all defenses are lost.

[XspeedPL]

When you grant root access to the file manager, all defenses are lost.

Then use biometric auth for all root requests. With that also asking for biometric when opening Magisk starts making sense.

[lbdroid]

Not necessarily just biometric, but whatever kind of security is enabled on the device. Any time that device security is enabled, Magisk should have security request defaulted to ON, this way clearing the application data won't provide a means of bypassing the request.

Note that Android security itself is protected in this manner. If you have lockscreen security enabled, then in order to alter lockscreen security settings, you need to authenticate.

@vvb2060 : Who would be stupid enough to provide permanent root access to a file manager?

[HuskyDG]

It's useful when we want to prevent other apps from surreptitiously getting root access, not users

[ziqixiao52]

Yes,I think it is nessary to add it.

[freebrowser1]

Magisk now does have a biometric authentication, but it would be useful when using a root shell (e.g. using sudo bash in Termux) would prompt for a password, just like in any Linux system.

[SX-9]

Magisk now does have a biometric authentication, but it would be useful when using a root shell (e.g. using sudo bash in Termux) would prompt for a password, just like in any Linux system.

i have enabled it but it will be nice if it does this for every request