The application uses an insecure implementation of biometric authentication. The application uses the BIOMETRIC_WEAK authentication parameter to authenticate the user, which is designed for non-crypto-based authentication. This may not be sufficient for applications which require a higher level of security control.

Android provides a library called Biometric, which offers a compatible version of the BiometricPrompt and BiometricManager APIs. Two authentication methods are available in the BiometricPrompt class. One of them expects CryptoObject, which adds an extra layer of security for biometric authentication. The setAllowedAuthenticators method specifies the types of authenticators which should be called by BiometricPrompt to authenticate the user. The available authenticator types for biometrics are as follows:

Authenticators.BIOMETRIC_WEAK - for authentication not based on cryptography;
Authenticators.BIOMETRIC_STRONG - for authentication based on cryptographic methods.

Java : Insecure direct object references

DerScanner Severity Score

Do you want to fix Java : Insecure direct object references in your application?

See also