Unlocking vault by fingerprint crashes Cryptomator app immediatly

Problem: Unlocking my cloud vaults (didn’t test any local vault now I think of it) by fingerprint crashes app immediately, same after reinstall, cleaning cache etc.
Password unlock does work.
Working on Samsung Galaxy S7
I sent the log file to support by email, via the the cryptomator app

Hey and welcome to the Cryptomator Community :slightly_smiling_face:,

Thanks for the log file. The interesting part is:

D	20210217041707.180	PrepareUnlockUseCase	finished 2de16f33
D	20210217041712.110	BiometricAuthentication	Authentication finished successfully
E	20210217041712.117	CrashLogging	java.lang.RuntimeException: java.lang.reflect.InvocationTargetException
	at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:1374)
Caused by: java.lang.reflect.InvocationTargetException
	at java.lang.reflect.Method.invoke(Native Method)
	at com.android.internal.os.Zygote$MethodAndArgsCaller.run(Zygote.java:327)
	... 1 more
Caused by: javax.crypto.IllegalBlockSizeException
	at android.security.keystore.AndroidKeyStoreCipherSpiBase.engineDoFinal(AndroidKeyStoreCipherSpiBase.java:519)
	at javax.crypto.Cipher.doFinal(Cipher.java:1736)
	at org.cryptomator.util.crypto.BiometricAuthCryptor.decrypt(BiometricAuthCryptor.java:49)
	at org.cryptomator.presentation.util.BiometricAuthentication$startListening$1.onAuthenticationSucceeded(BiometricAuthentication.kt:78)
	at androidx.biometric.FingerprintHelperFragment$1$3.run(FingerprintHelperFragment.java:198)
	at android.os.Handler.handleCallback(Handler.java:789)
	at android.os.Handler.dispatchMessage(Handler.java:98)
	at android.os.Looper.loop(Looper.java:164)
	at android.app.ActivityThread.main(ActivityThread.java:6944)
	... 3 more
Caused by: android.security.KeyStoreException: Key user not authenticated
	at android.security.KeyStore.getKeyStoreException(KeyStore.java:1137)
	at android.security.keystore.KeyStoreCryptoOperationChunkedStreamer.update(KeyStoreCryptoOperationChunkedStreamer.java:132)
	at android.security.keystore.KeyStoreCryptoOperationChunkedStreamer.doFinal(KeyStoreCryptoOperationChunkedStreamer.java:217)
	at android.security.keystore.AndroidKeyStoreCipherSpiBase.engineDoFinal(AndroidKeyStoreCipherSpiBase.java:506)
	... 11 more

The log file looks super weird. First it says biometric auth was successful, then we got a KeyStoreException with the message Key user not authenticated wrapped in a IllegalBlockSizeException.

Did you added/changed the fingerprints in your phone after setting up the biometric auth in Cryptomator? Normally Android is designed to throw a KeyPermanentlyInvalidatedException but I searched around and found some interesting reports: Google search. One good starting point is this. Maybe we run on your device into the following bug in Android https://issuetracker.google.com/issues/65578763. As google marked it as won’t fix we’ll see what we could do but first the follwing question would be interesting: Did you added/changed the fingerprints in your phone after setting up the biometric auth in Cryptomator?

Ah and maybe some more background information: Throwing the KeyPermanentlyInvalidatedException is a security feature by the OS because someone with access to your phone could have added the finger into the OS and would then have access to e.g. your Cryptomator vault as well. That is the reason why Android then invalidates all keys which leads in the case of Cryptomator that you have to setup all vaults again for unlocking using biometric authentication but this ensures, that no one can gain access to your vault.

1 Like

Thanks for your review!
To my knowledge I haven’t changed biometrics after installing the Cryptomator app. I think I remember this first happened before doing a clean install of the OS after an OS update.
Is there a way we can isolate the problem?
First thing I may try is

  1. Deleting the app
  2. Deleting the fingerprints
  3. Reinstall app
  4. Configure fingerprint
  5. Enable fingerprint-unlock.

Yes, normally it is enough to delete the app, which also deletes all key material but as we noticed your system acts currently a bit weird so it wouldn’t hurt to also delete the fingerprints. I’m curious to see what the results of your test will be.

Using the latest preview of Android (12 / code name S) I was able to reproduce your error: KeyStoreException wrapped in a IllegalBlockSizeException :flushed:

Even when I deleted all our key material from the keystore I get the same error :thinking:. The same problem is shown when using the BiometricAuthentication sample app of Google. The app just catches this exception and logs an error MainActivity.kt#L220.

com.example.android.fingerprintdialog D/MainActivity: Authentication was successful
com.example.android.fingerprintdialog W/System.err: javax.crypto.IllegalBlockSizeException
com.example.android.fingerprintdialog W/System.err:     at android.security.keystore.AndroidKeyStoreCipherSpiBase.engineDoFinal(AndroidKeyStoreCipherSpiBase.java:519)
com.example.android.fingerprintdialog W/System.err:     at javax.crypto.Cipher.doFinal(Cipher.java:2055)
com.example.android.fingerprintdialog W/System.err:     at com.example.android.biometricauth.MainActivity.tryEncrypt(MainActivity.kt:216)
com.example.android.fingerprintdialog W/System.err:     at com.example.android.biometricauth.MainActivity.onPurchased(MainActivity.kt:192)
com.example.android.fingerprintdialog W/System.err:     at com.example.android.biometricauth.MainActivity$createBiometricPrompt$callback$1.onAuthenticationSucceeded(MainActivity.kt:302)
com.example.android.fingerprintdialog W/System.err:     at androidx.biometric.BiometricFragment$2$2.run(BiometricFragment.java:138)
com.example.android.fingerprintdialog W/System.err:     at android.os.Handler.handleCallback(Handler.java:938)
com.example.android.fingerprintdialog W/System.err:     at android.os.Handler.dispatchMessage(Handler.java:99)
com.example.android.fingerprintdialog W/System.err:     at android.os.Looper.loopOnce(Looper.java:201)
com.example.android.fingerprintdialog W/System.err:     at android.os.Looper.loop(Looper.java:288)
com.example.android.fingerprintdialog W/System.err:     at android.app.ActivityThread.main(ActivityThread.java:7729)
com.example.android.fingerprintdialog W/System.err:     at java.lang.reflect.Method.invoke(Native Method)
com.example.android.fingerprintdialog W/System.err:     at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:548)
com.example.android.fingerprintdialog W/System.err:     at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:974)
com.example.android.fingerprintdialog W/System.err: Caused by: android.security.KeyStoreException: Key user not authenticated

With my preview, you could argue that this is the first version of android 12 but together with your stack trace and google knowing about such an issue, this is really very concerning!!!

1 Like

Thank you for your reply! Those sound like interesting results. Yesterday I

  1. deleted the bio-auth from Cryptomator,
  2. deleted Cryptomator
  3. deleted Android fingerprints
  4. reinstalled Cryptomator
  5. added the vaults
  6. added fingerprints to Android
  7. activated bio-auth in Cryptomator

Now bio-auth works again, it unlocks the vault without error

I’m curious whether this error starts to come up again after a while, but for now it works, should I send my log.zip again?
I’ll keep my fingerprints the same, and try to notice when it’s broken again.

I’m glad it’s working for you again and thanks for sharing.

No thanks but if it shows up again it would be great to get a log file.

Thanks for looking into this, curious to know if we accidentally found some underlying problem here. Later today I may try to add a fingerprint in Android to see if that breaks it again. With or without deactivating fingerprint unlock in Cryptomator. I’ll post it here.

1 Like

On my emulator, the only thing which helped was removing the need of user authentication to access the key material. If I set the flag in BiometricAuthCryptor.java#L25 to false which leads to a key builder with setUserAuthenticationRequired(false), this works like expected but it weakens the security of the key material stored in the keystore, which will not make it in our app. With this flag enabled, the app can only access the key material if the user has previously authenticated against the operating system.

1 Like
  1. I added an extra fingerprint to android, without disabling bio-auth in Cryptomator.
    Instant crash after using fingerprint to unlock a vault again. Same after disabling/enabling it bio-auth in the App.
  2. The same happens when I first disable bio-auth in Cryptomator, and re-enable it after adding the fingerprint.

After reinstalling the app, adding the vaults, enabling bio-auth, they unlock properly again.

I sent the log file from after crashing to support by email, via the the Cryptomator app, with the link to this topic in its description

Thanks for further testing and the log. Indeed, it looks quiet similar:

Caused by: javax.crypto.IllegalBlockSizeException
	at android.security.keystore.AndroidKeyStoreCipherSpiBase.engineDoFinal(AndroidKeyStoreCipherSpiBase.java:519)
	at javax.crypto.Cipher.doFinal(Cipher.java:1736)
	at org.cryptomator.util.crypto.BiometricAuthCryptor.decrypt(BiometricAuthCryptor.java:55)
	at org.cryptomator.presentation.util.BiometricAuthentication$startListening$1.onAuthenticationSucceeded(BiometricAuthentication.kt:79)
	at androidx.biometric.BiometricFragment$9.run(BiometricFragment.java:907)
	at android.os.Handler.handleCallback(Handler.java:789)
	at android.os.Handler.dispatchMessage(Handler.java:98)
	at android.os.Looper.loop(Looper.java:164)
	at android.app.ActivityThread.main(ActivityThread.java:6944)
	... 3 more
Caused by: android.security.KeyStoreException: Key user not authenticated
	at android.security.KeyStore.getKeyStoreException(KeyStore.java:1137)
	at android.security.keystore.KeyStoreCryptoOperationChunkedStreamer.update(KeyStoreCryptoOperationChunkedStreamer.java:132)
	at android.security.keystore.KeyStoreCryptoOperationChunkedStreamer.doFinal(KeyStoreCryptoOperationChunkedStreamer.java:217)
	at android.security.keystore.AndroidKeyStoreCipherSpiBase.engineDoFinal(AndroidKeyStoreCipherSpiBase.java:506)
	... 11 more

Will create a hint for this in docs.cryptomator.org/. We could actually workaround this by tracking the amount of fingers currently enabled in the system, when changed and this exception is thrown, behave like when a KeyPermanentlyInvalidatedException is thrown but this would need to use reflection (no public API and reflection is ugly) and if someone added and deleted one this wouldn’t be tracked as change so nothing we can do in my opinion instead of documenting your workaround.

But thanks again for your log, I stumbled there about an minor hiccup which is solved in https://github.com/cryptomator/android/issues/275

1 Like
© 2021 Skymatic GmbH • Privacy PolicyImpressum