Biometric local authentication such as fingerprint recognition can be used to protect sensitive data or actions within an application. However, if this authentication does not use a KeyStore-backed key, it can be bypassed by a privileged malicious application, or by an attacker with physical access using application hooking tools such as Frida.

Generate a secure key in the Android KeyStore. Ensure that the onAuthenticationSuccess callback for a biometric prompt uses it in a way that is required for the sensitive parts of the application to function, such as by using it to decrypt sensitive data or credentials.

In the following (bad) case, no CryptoObject is required for the biometric prompt to grant access, so it can be bypassed.

In the following (good) case, a secret key is generated in the Android KeyStore. The application requires this secret key for access, using it to decrypt data.

OWASP Mobile Application Security: Android Local Authentication

OWASP Mobile Application Security: Testing Biometric Authentication

WithSecure: How Secure is your Android Keystore Authentication?

Android Developers: Biometric Authentication