Biometric Transaction Protection in Mobile Crypto Wallet

TRUETECH is engaged in the development, support and maintenance of iOS, Android, PWA mobile applications. We have extensive experience and expertise in publishing mobile applications in popular markets like Google Play, App Store, Amazon, AppGallery and others.
8+Years of work900+Completed projects100+In house employees19+Partners
Development and support of all types of mobile applications:
Information and entertainment mobile applications
News apps, games, reference guides, online catalogs, weather apps, fitness and health apps, travel apps, educational apps, social networks and messengers, quizzes, blogs and podcasts, forums, aggregators
E-commerce mobile applications
Online stores, B2B apps, marketplaces, online exchanges, cashback services, exchanges, dropshipping platforms, loyalty programs, food and goods delivery, payment systems.
Business process management mobile applications
CRM systems, ERP systems, project management, sales team tools, financial management, production management, logistics and delivery management, HR management, data monitoring systems
Electronic services mobile applications
Classified ads platforms, online schools, online cinemas, electronic service platforms, cashback platforms, video hosting, thematic portals, online booking and scheduling platforms, online trading platforms

These are just some of the types of mobile applications we work with, and each of them may have its own specific features and functionality, tailored to the specific needs and goals of the client.

Offered services
Showing 1 of 1 servicesAll 1735 services
Biometric Transaction Protection in Mobile Crypto Wallet
Medium
~2-3 business days
FAQ
Our competencies:
Development stages
Latest works
  • image_mobile-applications_feedme_467_0.webp
    Development of a mobile application for FEEDME
    756
  • image_mobile-applications_xoomer_471_0.webp
    Development of a mobile application for XOOMER
    624
  • image_mobile-applications_rhl_428_0.webp
    Development of a mobile application for RHL
    1054
  • image_mobile-applications_zippy_411_0.webp
    Development of a mobile application for ZIPPY
    947
  • image_mobile-applications_affhome_429_0.webp
    Development of a mobile application for Affhome
    862
  • image_mobile-applications_flavors_409_0.webp
    Development of a mobile application for the FLAVORS company
    445
Show more works

Biometric Transaction Protection in Mobile Crypto Wallet

Biometry for transaction confirmation — not just "add Face ID before sending." Wrong implementation gives false security: app asks for Face ID, but after rejection can confirm transaction differently, or biometry checked only locally without crypto binding to key.

Two Approaches — Fundamentally Different

Approach 1: Biometry as UI Gate. Show LAContext/BiometricPrompt, on success unlock "Confirm" button. Private key in Keychain without biometric protection. Weakness: bypass via hooking (Frida, Objection) — patch evaluatePolicy method and return true. Unacceptable in production wallet.

Approach 2: Biometry Bound to Key. Private key (or encryption key) in Keychain/KeyStore with SecAccessControl.biometryCurrentSet (iOS) or setUserAuthenticationRequired(true) (Android). Cryptographic operation impossible without successful biometry — guaranteed by OS, not app. Frida helpless — key physically inaccessible without biometry at SE/TEE level.

Use only second approach for wallet.

iOS: Cryptographically Bound Biometry

let accessControl = SecAccessControlCreateWithFlags(
    nil,
    kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly,
    [.privateKeyUsage, .biometryCurrentSet],
    nil
)!

Attempting to use this key without biometry — errSecUserCanceled or errSecAuthFailed. App can't bypass this programmatically. Can pass context explicitly for custom UI:

let context = LAContext()
context.localizedReason = "Confirm transaction for \(amount) ETH"
context.localizedCancelTitle = "Cancel"

let query: [String: Any] = [
    kSecClass as String: kSecClassKey,
    kSecAttrApplicationLabel as String: "wallet-key",
    kSecUseAuthenticationContext as String: context,
    kSecReturnRef as String: true
]

localizedReason text should contain transaction details — recipient address, amount. User must see what exactly they confirm.

Android: BiometricPrompt with CryptoObject

val cipher = Cipher.getInstance("AES/GCM/NoPadding").apply {
    init(Cipher.DECRYPT_MODE, secretKey, GCMParameterSpec(128, iv))
}

val cryptoObject = BiometricPrompt.CryptoObject(cipher)

val promptInfo = BiometricPrompt.PromptInfo.Builder()
    .setTitle("Confirm Transaction")
    .setSubtitle("Send ${amount} ETH to ${shortAddress}")
    .setNegativeButtonText("Cancel")
    .setAllowedAuthenticators(BIOMETRIC_STRONG)
    .build()

biometricPrompt.authenticate(promptInfo, cryptoObject)

CryptoObject binds cryptographic operation to biometry. BIOMETRIC_STRONG excludes weak biometry (face recognition on devices without depth sensor). After success authenticationResult.cryptoObject?.cipher contains unlocked Cipher — only then decrypt and use key.

What Else Matters

Re-authentication timeout: iOS caches successful biometry in LAContext for its lifetime. For high-risk operations create new LAContext per transaction. Android: setUserAuthenticationValidityDurationSeconds(-1) requires biometry each key use.

Fallback to PIN: if biometry unavailable (Face ID disabled, device without sensor), user must confirm transaction via PIN. .userPresence instead of .biometryCurrentSet allows both.

Timeline — 2–3 days. If implementing first time on specific platform — add day for edge case testing (biometry lockout after 5 failed attempts, biometry change in settings).