Android6.0之后支持了指紋解鎖唱较,但是指紋本身的安全性是不如密碼的,所以Android系統(tǒng)加入了StrongAuth機制霉旗,要求用戶在某些情況下必須用密碼解鎖(例如手機重啟后)痴奏,之后才能用指紋解鎖。
StrongAuth的相關定義
鎖屏密碼安全涉及到兩個比較重要的類厌秒,LockPatternUtils和LockSettingsService读拆,StrongAuth的相關常量定義和接口也被定義在這兩個類里面,此外鸵闪,還有一個專門的類LockSettingsStrongAuth.java用于處理一些核心事件
LockPatternUtils.java中定義了一個靜態(tài)內(nèi)部類StrongAuthTracker檐晕,里面定義了一些非常重要的常量
/**
* Strong authentication is not required.
*/
public static final int STRONG_AUTH_NOT_REQUIRED = 0x0;
/**
* Strong authentication is required because the user has not authenticated since boot.
*/
public static final int STRONG_AUTH_REQUIRED_AFTER_BOOT = 0x1;
/**
* Strong authentication is required because a device admin has requested it.
*/
public static final int STRONG_AUTH_REQUIRED_AFTER_DPM_LOCK_NOW = 0x2;
/**
* Some authentication is required because the user has temporarily disabled trust.
*/
public static final int SOME_AUTH_REQUIRED_AFTER_USER_REQUEST = 0x4;
/**
* Strong authentication is required because the user has been locked out after too many
* attempts.
*/
public static final int STRONG_AUTH_REQUIRED_AFTER_LOCKOUT = 0x8;
/**
* Strong auth flags that do not prevent fingerprint from being accepted as auth.
*
* If any other flags are set, fingerprint is disabled.
*/
private static final int ALLOWING_FINGERPRINT = STRONG_AUTH_NOT_REQUIRED
| SOME_AUTH_REQUIRED_AFTER_USER_REQUEST;
根據(jù)這些常量的定義,不難看到以下的幾種情況是無法使用指紋解鎖的
- 系統(tǒng)重啟 STRONG_AUTH_REQUIRED_AFTER_BOOT
- 設備管理器鎖定 STRONG_AUTH_REQUIRED_AFTER_DPM_LOCK_NOW
- 錯誤次數(shù)過多 STRONG_AUTH_REQUIRED_AFTER_LOCKOUT
除此之外,其他情況下都是可以使用指紋解鎖的
同時我們也可以發(fā)現(xiàn)辟灰,這些常量是16進制的int類型个榕,會和ALLOWING_FINGERPRINT 進行位運算來判斷當前是否能使用指紋解鎖,這一點從StrongAuthTracker的對外接口就可以看出
/**
* @return true if unlocking with fingerprint alone is allowed for {@param userId} by the
* current strong authentication requirements.
*/
public boolean isFingerprintAllowedForUser(int userId) {
return (getStrongAuthForUser(userId) & ~ALLOWING_FINGERPRINT) == 0;
}
鎖屏繼承了這個類并加以擴展芥喇,用來判斷當前系統(tǒng)是否允許指紋解鎖
public class StrongAuthTracker extends LockPatternUtils.StrongAuthTracker {
public StrongAuthTracker(Context context) {
super(context);
}
public boolean isUnlockingWithFingerprintAllowed() {
int userId = getCurrentUser();
return isFingerprintAllowedForUser(userId);
}
public boolean hasUserAuthenticatedSinceBoot() {
int userId = getCurrentUser();
return (getStrongAuthForUser(userId)
& STRONG_AUTH_REQUIRED_AFTER_BOOT) == 0;
}
@Override
public void onStrongAuthRequiredChanged(int userId) {
notifyStrongAuthStateChanged(userId);
}
}
StrongAuth的作用機制
前面說了LockSettingsStrongAuth.java是符合核心的處理邏輯西采,開機后會啟動system server,LockSettingsService會實例化一個LockSettingsStrongAuth對象继控,調(diào)用其構(gòu)造函數(shù)械馆,根據(jù)系統(tǒng)設置的默認值來設置對應的flag
public LockSettingsStrongAuth(Context context) {
mDefaultStrongAuthFlags = StrongAuthTracker.getDefaultFlags(context);
}
public static @StrongAuthFlags int getDefaultFlags(Context context) {
boolean strongAuthRequired = context.getResources().getBoolean(
com.android.internal.R.bool.config_strongAuthRequiredOnBoot);
return strongAuthRequired ? STRONG_AUTH_REQUIRED_AFTER_BOOT : STRONG_AUTH_NOT_REQUIRED;
}
完成初始化之后,鎖屏也會建立起和LockSettingsService的聯(lián)系武通,鎖屏繼承了靜態(tài)類StrongAuthTracker狱杰,在這里面查詢當前是否能夠指紋解鎖。
用戶成功使用密碼解鎖之后會調(diào)用到LockSettingsStrongAuth的reportUnlock方法厅须,這里面會重新設置flag
public void reportUnlock(int userId) {
requireStrongAuth(STRONG_AUTH_NOT_REQUIRED, userId);
}
最后來到這個函數(shù)
private void handleRequireStrongAuthOneUser(int strongAuthReason, int userId) {
int oldValue = mStrongAuthForUser.get(userId, mDefaultStrongAuthFlags);
int newValue = strongAuthReason == STRONG_AUTH_NOT_REQUIRED
? STRONG_AUTH_NOT_REQUIRED
: (oldValue | strongAuthReason);
if (oldValue != newValue) {
mStrongAuthForUser.put(userId, newValue);
notifyStrongAuthTrackers(newValue, userId);
}
}
當新舊的值不一樣的時候就會通過notifyStrongAuthTrackers來通知各個繼承了靜態(tài)類StrongAuthTracker的類
/**
* Called when the strong authentication requirements for {@param userId} changed.
*/
public void onStrongAuthRequiredChanged(int userId) {
}
其他的情況也是一樣的矢劲,最終都會調(diào)到handleRequireStrongAuthOneUser來改變當前的flag
8.0的新變化
前面說了三種無法使用指紋解鎖的情況吹榴,但是系統(tǒng)還有一種情況也是不能使用指紋解鎖的,即StrongAuthTimeOut,長時間沒有使用密碼解鎖鞋既,但是這個功能被集成在鎖屏的KeyguardUpdateMonitor里面培廓,沒有在LockSettingsService直接體現(xiàn)筐咧,默認時間是三天
public boolean isUnlockingWithFingerprintAllowed() {
return mStrongAuthTracker.isUnlockingWithFingerprintAllowed()
&& !hasFingerprintUnlockTimedOut(sCurrentUser);
}
/**
* Default and maximum timeout in milliseconds after which unlocking with weak auth times out,
* i.e. the user has to use a strong authentication method like password, PIN or pattern.
*
* @hide
*/
public static final long DEFAULT_STRONG_AUTH_TIMEOUT_MS = 72 * 60 * 60 * 1000; // 72h
8.0之后這部分代碼轉(zhuǎn)移到了StrongAuthTracker中济欢,也是出于安全和封裝性的考慮,具體代碼就不貼了忆植,有興趣可以查看8.0的源碼