Skip to content

Improve authentication callback for Wallet #40188

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
simoarpe opened this issue Aug 1, 2024 · 2 comments · Fixed by brave/brave-core#25104
Closed

Improve authentication callback for Wallet #40188

simoarpe opened this issue Aug 1, 2024 · 2 comments · Fixed by brave/brave-core#25104
Assignees
@simoarpe
Labels
feature/web3/wallet Integrating Ethereum+ wallet support OS/Android Fixes related to Android browser functionality priority/P2 A bad problem. We might uplift this to the next planned release. QA Pass - Android ARM QA/Yes release-notes/include security
Milestone
1.71.x - Release

Comments

@simoarpe
Copy link

simoarpe commented Aug 1, 2024
edited
Loading

Description

During onboarding process for Brave Wallet the authentication callback does not use its result for a cryptographic operation and this may lead a privileged malicious application to bypass it.

More info: https://github.com/brave/brave-core/security/code-scanning/161
Related to https://github.com/brave/brave-core/pull/24943/files

Update

Fingeprint authentication algorithm went through security review:
@simoarpe simoarpe added priority/P3 The next thing for us to work on. It'll ride the trains. feature/web3/wallet Integrating Ethereum+ wallet support OS/Android Fixes related to Android browser functionality labels Aug 1, 2024
@simoarpe simoarpe self-assigned this Aug 1, 2024
@simoarpe simoarpe mentioned this issue Aug 1, 2024
Merged
24 tasks
@diracdeltas
Copy link
Member

please tag @kdenhartog and @stoletheminerals for security review

@stoletheminerals stoletheminerals added priority/P2 A bad problem. We might uplift this to the next planned release. and removed priority/P3 The next thing for us to work on. It'll ride the trains. labels Aug 8, 2024
@simoarpe simoarpe mentioned this issue Aug 13, 2024
Merged
24 tasks
@brave-builds brave-builds added this to the 1.71.x - Nightly milestone Aug 16, 2024
@srirambv
Copy link
Contributor

srirambv commented Oct 1, 2024

Verification passed on Google Pixel 8 with Android 14 running 1.71.97 x64 Beta build

  • Verified steps from brave/brave-core#25104
  • Verified biometric unlock for Wallet works as expected
  • Verified able to unlock through biometric unlock when wallet is locked manually and unlock via double tap on wallet WebUI
  • Verified able to unlock wallet when Brave is removed from memory and relaunched

@hffvld hffvld mentioned this issue Oct 17, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@simoarpe simoarpe

Labels
feature/web3/wallet Integrating Ethereum+ wallet support OS/Android Fixes related to Android browser functionality priority/P2 A bad problem. We might uplift this to the next planned release. QA Pass - Android ARM QA/Yes release-notes/include security
Projects
None yet
Milestone
1.71.x - Release
Development

Successfully merging a pull request may close this issue.

(Wallet) Improve biometric authentication using cipher brave/brave-core
5 participants
@diracdeltas @simoarpe @stoletheminerals @srirambv @brave-builds