Tickets are available – secure your spot today!

No Two Biometrics (APIs) Are Alike

Do you need to protect some functionality or store sensitive data in your Android app? Biometric authentication seems both convenient and secure at face value. However under the skin of standardized APIs like androidx.biometric lies a web of strange edge cases and security vulnerabilities caused by API misuse in many cases.

Based on extensive research and development of security-sensitive apps, we will discuss the quirks and features of Biometrics API and the Keystore system of Android. Among many others, you will learn:

– How Biometric authentication can be bypassed without proper usage of the CryptoObject.
– Which are the obvious (and not so obvious) usability implications of making Android invalidate keys when new (biometric) credentials are added?
– How do we require user authentication for accessing keys and what it means? Also, what does the timeout parameter mean in this case?
– How to use hardware-backed key storage, Strongbox, and how to verify them via key attestation.

Share

Session info:

Balázs Gerlei

Speaker: Balázs Gerlei

Senior Software Engineer at Nevis Security

Date: 13 March 2026

Time: 11:05 - 11:50

Relevant tags:
Security

Josu Vergara Lecue

Speaker: Josu Vergara Lecue

Nevis Security AG - Expert Software Engineer

See all speakers

See all videos

 

Download the
ADC / WDC / DPC app now!

Get the latest news & updates

Subscribe now to be notified on new online sessions, when tickets go on sale, receive special offers, and stay up to date with our speaker lineup.

Sign up!

Sign up for our newsletter and get the latest online sessions, news updates and deals.

10 – 13 March 2026, Amsterdam

2026 Hosted by Dawn Technology | Contact | Privacy Policy | Cookie Policy | Code of Conduct

Mastodon