[expo-local-authentication] Add method to know enrolled security level of device

[mickamy]

Why

Some apps wants to know local authentication security level on a device.

Providing this information may be helpful for those

• who wants to advise a device owner to use more secure authentication
• who wants to check if any local authentication is been set (who does not care if it is biometric auth or whatever)

How

API design

I basically followed to @LinusU's API proposal at #7032 (comment).
getEnrolledLevelAsync returns enum representing security level NONE, SECRET and BIOMETRIC, which seems very reasonsable.
Big up to @LinusU 🎉

iOS

I used LAPolicyDeviceOwnerAuthentication to know if any authentication is available. And LAPolicyDeviceOwnerAuthenticationWithBiometrics for biometrics.

Android

for SDK_VERSION >= M

• To detect if device has an enrolled authentication, I used KeyguardDeviceManager#isDeviceSecure(), which is the very method recommended in BiometricPrompt documentation.
• To detect if device has an enrolled biometric authentication, I used BiometricManager#canAuthenticate(). It is same on prior to M.

for SDK_VERSION < M

Sadly, KeyguardDeviceManager#isDeviceSecure() is not supported on devices prior to Android M. The most similar API I found was isKeyguardSecure(), but it counts in SIM lock state, which is not very ideal. Because SIM lock is not where BiometricPrompt authentication falls back to.

Newer version (>= 1.1.0-alpha01) of androidx.biometric library has an introduced BiometricManager#canAuthenticate(int), which may be an option, but it is not a stable release version yet.

[update: 21/02/02]
Stable version of androidx.biometric v1.1.0 came out, but calling BiometricManager#canAuthenticate with BiometricManager.Authenticators.DEVICE_CREDENTIAL alone is not supported prior to API 30.
So we still need to use KeyguardManager#isKeyguardSecure() on devices prior to M.

Test Plan

I though I could use app/sandbox for testing, but I could not make it run. So I tested it on my own bare app and applied patch to it. Here is some screenshots of the result.

	No authentication	Passcode/PIN/Pattern or other non biometrics	TouchID/FaceID or other biometrics
iOS
Android

Here is the code I used on testing

import {
  Text,
  AppState,
  View,
  StyleSheet,
  Modal,
  TouchableHighlight,
  Button,
  Platform,
} from 'react-native';
import Constants from 'expo-constants';
import * as LocalAuthentication from 'expo-local-authentication';

const styles = StyleSheet.create({
  container: {
    alignContent: 'center',
    flex: 1,
    justifyContent: 'center',
    padding: 8,
    paddingTop: Constants.statusBarHeight,
  },
  innerContainer: {
    alignItems: 'center',
    flex: 1,
    justifyContent: 'center',
    marginTop: '30%',
  },
  modal: {
    alignItems: 'center',
    flex: 1,
    justifyContent: 'center',
    marginTop: '90%',
  },
  text: {
    alignSelf: 'center',
    fontSize: 22,
    paddingTop: 20,
  },
});

export default class LocalAuthTest extends React.Component {
  state = {
    appState: null,
    authenticated: false,
    enrolledLevel: null,
    failedCount: 0,
    modalVisible: false,
  };

  componentDidMount() {
    AppState.addEventListener('change', this.handleAppStateChange);
    this.checkDeviceSecurity();
  }

  componentWillUnmount() {
    AppState.removeEventListener('change', this.handleAppStateChange);
  }

  handleAppStateChange = nextAppState => {
    if (
      this.state.appState &&
      this.state.appState.match(/inactive|background/) &&
      nextAppState === 'active'
    ) {
      this.checkDeviceSecurity();
    }
    this.setState({appState: nextAppState});
  };

  async checkDeviceSecurity() {
    const level = await LocalAuthentication.getEnrolledLevelAsync();
    switch (level) {
      case 0:
        this.setState({enrolledLevel: 'SecurityLevel.NONE'});
        break;
      case 1:
        this.setState({enrolledLevel: 'SecurityLevel.SECRET'});
        break;
      case 2:
        this.setState({enrolledLevel: 'SecurityLevel.BIOMETRIC'});
        break;
    }
  }

  clearState = () => {
    this.setState({authenticated: false, failedCount: 0});
  };

  scanFingerPrint = async () => {
    try {
      const results = await LocalAuthentication.authenticateAsync();
      if (results.success) {
        this.setState({
          authenticated: true,
          failedCount: 0,
        });
      } else {
        this.setState(prev => {
          return {
            failedCount: prev.failedCount + 1,
          };
        });
      }
    } catch (e) {
      console.log(e);

      if (Platform.OS === 'android') {
        await LocalAuthentication.cancelAuthenticate().catch(e => console.log(e));
      }
    }
  };

  render() {
    return (
      <View style={[styles.container, {backgroundColor: 'white'}]}>
        {this.state.enrolledLevel && <Text style={styles.text}>{this.state.enrolledLevel}</Text>}
        <Button
          title={
            this.state.authenticated
              ? 'Reset and begin Authentication again'
              : 'Begin Authentication'
          }
          onPress={() => {
            this.clearState();
            this.scanFingerPrint();
          }}
        />

        {this.state.authenticated && <Text style={styles.text}>Authentication Successful! 🎉</Text>}
      </View>
    );
  }
}

[mickamy]

Stable version of androidx.biometric is out today (version 1.1.0), so it might be a first option.
https://developer.android.com/jetpack/androidx/releases/biometric

It deprecates some methods used in expo-local-authentication though. (e.g. BiometricManager#canAuthenticate() and BiometricPrompt.PromptInfo.Builder#setDeviceCredentialAllowed(boolean)

I can update and replace some deprecated function usage if that's OK to members of expo :)

[lukmccall]

That would be nice ;)
What do you think? cc @byCedric

[mickamy]

@lukmccall @byCedric
Updated androidx.biometric library at 37ad0c9...67ba846

At first, I thought I could call BiometricManager#canAuthenticate(int) with BiometricManager.Authenticators#DEVICE_CREDENTIAL alone.
But it turned out that DEVICE_CREDENTIAL alone was not supported prior to API 30.
So we need to use KeyguardManager#isKeyguardSecure() still.

Note that not all combinations of authenticator types are supported prior to Android 11 (API 30). Specifically, DEVICE_CREDENTIAL alone is unsupported prior to API 30

https://developer.android.com/reference/androidx/biometric/BiometricManager#canAuthenticate(int)

---

btw I can split PR into API addition and library update, if you want to :)

[lukmccall]

It isn't a big PR so you don't have to split it ;)

[lukmccall]

That is awesome 🚀🚀🚀
Thanks for your contribution 🥇

[mickamy]

@lukmccall @byCedric
Is there anything I can do to get this to be merged?

[lukmccall]

One more thing and it'll good to go 😉

Could you update the documentation page?

[lukmccall]

Ohh I almost forgot about the changelog 😅
Please, add an changelog entry too -> https://github.com/expo/expo/blob/master/packages/expo-local-authentication/CHANGELOG.md

[mickamy]

Thanks @lukmccall !
Done it at 46b4287