Remove androidBiometricsStrongOnly option and enforce strong biometrics automatically

The androidBiometricsStrongOnly option has been removed from the API and implementation. Android now automatically enforces Class 3 (strong) biometrics when supported by hardware, falling back to the strongest available authenticator on older devices. Documentation and type definitions have been updated to reflect this change, and related UI and code paths have been cleaned up.

Author: mCodex

README.md

@@ -159,7 +159,8 @@ All functions live at the top level export and return Promises.
 - `authenticationPrompt` — localized strings for biometric/device credential prompts.
 - `iosSynchronizable` — enable iCloud Keychain sync.
 - `keychainGroup` — custom Keychain access group.
-- `androidBiometricsStrongOnly` — require Class 3 biometrics when generating keys.
+
+Android automatically enforces Class 3 biometrics whenever the hardware supports them, falling back to the strongest available authenticator on older devices.
 
 See `src/views/sensitive-info.nitro.ts` for full TypeScript definitions.
 

android/src/main/java/com/margelo/nitro/sensitiveinfo/HybridSensitiveInfo.kt

@@ -77,8 +77,7 @@ class HybridSensitiveInfo : HybridSensitiveInfoSpec() {
     override fun setItem(request: SensitiveInfoSetRequest): Promise<MutationResult> {
         return Promise.async {
             val service = resolveService(request.service)
-            val strongOnly = request.androidBiometricsStrongOnly == true
-            val resolution = accessControlResolver.resolve(request.accessControl, strongOnly)
+            val resolution = accessControlResolver.resolve(request.accessControl)
             val alias = AliasGenerator.create(service, resolution.signature)
 
             val previousEntry = readEntry(service, request.key)

android/src/main/java/com/sensitiveinfo/internal/crypto/AccessControlResolver.kt

@@ -1,5 +1,6 @@
 package com.sensitiveinfo.internal.crypto
 
+import android.os.Build
 import androidx.biometric.BiometricManager.Authenticators
 import com.margelo.nitro.sensitiveinfo.AccessControl
 import com.margelo.nitro.sensitiveinfo.SecurityLevel
@@ -23,12 +24,12 @@ internal class AccessControlResolver(
   )
 
   /** Chooses the best available policy given the caller preference and hardware capabilities. */
-  fun resolve(preferred: AccessControl?, strongBiometricsOnly: Boolean): AccessResolution {
+  fun resolve(preferred: AccessControl?): AccessResolution {
     val availability = availabilityResolver.resolve()
     val ordered = orderPreferences(preferred)
 
     for (candidate in ordered) {
-      val resolution = tryResolve(candidate, availability, strongBiometricsOnly)
+      val resolution = tryResolve(candidate, availability)
       if (resolution != null) {
         return resolution
       }
@@ -57,12 +58,11 @@ internal class AccessControlResolver(
 
   private fun tryResolve(
     accessControl: AccessControl,
-    availability: SecurityAvailabilitySnapshot,
-    strongBiometricsOnly: Boolean
+    availability: SecurityAvailabilitySnapshot
   ): AccessResolution? {
     return when (accessControl) {
       AccessControl.SECUREENCLAVEBIOMETRY -> {
-        if (!availability.biometry || !availability.strongBox) return null
+        if (!availability.biometry || !availability.strongBiometrics || !availability.strongBox) return null
         AccessResolution(
           accessControl = AccessControl.SECUREENCLAVEBIOMETRY,
           securityLevel = SecurityLevel.STRONGBOX,
@@ -73,31 +73,23 @@ internal class AccessControlResolver(
         )
       }
       AccessControl.BIOMETRYCURRENTSET -> {
-        if (!availability.biometry) return null
+        val allowedAuthenticators = allowedBiometricAuthenticators(availability) ?: return null
         AccessResolution(
           accessControl = AccessControl.BIOMETRYCURRENTSET,
           securityLevel = SecurityLevel.BIOMETRY,
           requiresAuthentication = true,
-          allowedAuthenticators = if (strongBiometricsOnly) {
-            Authenticators.BIOMETRIC_STRONG
-          } else {
-            Authenticators.BIOMETRIC_STRONG or Authenticators.BIOMETRIC_WEAK
-          },
+          allowedAuthenticators = allowedAuthenticators,
           useStrongBox = false,
           invalidateOnEnrollment = true
         )
       }
       AccessControl.BIOMETRYANY -> {
-        if (!availability.biometry) return null
+        val allowedAuthenticators = allowedBiometricAuthenticators(availability) ?: return null
         AccessResolution(
           accessControl = AccessControl.BIOMETRYANY,
           securityLevel = SecurityLevel.BIOMETRY,
           requiresAuthentication = true,
-          allowedAuthenticators = if (strongBiometricsOnly) {
-            Authenticators.BIOMETRIC_STRONG
-          } else {
-            Authenticators.BIOMETRIC_STRONG or Authenticators.BIOMETRIC_WEAK
-          },
+          allowedAuthenticators = allowedAuthenticators,
           useStrongBox = false,
           invalidateOnEnrollment = false
         )
@@ -123,4 +115,20 @@ internal class AccessControlResolver(
       )
     }
   }
+
+  private fun allowedBiometricAuthenticators(availability: SecurityAvailabilitySnapshot): Int? {
+    if (!availability.biometry) {
+      return null
+    }
+
+    if (availability.strongBiometrics) {
+      return Authenticators.BIOMETRIC_STRONG
+    }
+
+    return if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.R) {
+      Authenticators.BIOMETRIC_WEAK
+    } else {
+      Authenticators.BIOMETRIC_STRONG
+    }
+  }
 }

android/src/main/java/com/sensitiveinfo/internal/crypto/SecurityAvailabilityResolver.kt

@@ -13,6 +13,7 @@ internal data class SecurityAvailabilitySnapshot(
   val secureEnclave: Boolean,
   val strongBox: Boolean,
   val biometry: Boolean,
+  val strongBiometrics: Boolean,
   val deviceCredential: Boolean
 )
 
@@ -35,10 +36,9 @@ internal class SecurityAvailabilityResolver(private val context: Context) {
       }
 
       val biometricManager = BiometricManager.from(context)
-      val hasBiometry = when (biometricManager.canAuthenticate(Authenticators.BIOMETRIC_STRONG)) {
-        BiometricManager.BIOMETRIC_SUCCESS -> true
-        else -> biometricManager.canAuthenticate(Authenticators.BIOMETRIC_WEAK) == BiometricManager.BIOMETRIC_SUCCESS
-      }
+      val hasStrongBiometrics = biometricManager.canAuthenticate(Authenticators.BIOMETRIC_STRONG) == BiometricManager.BIOMETRIC_SUCCESS
+      val hasWeakBiometrics = biometricManager.canAuthenticate(Authenticators.BIOMETRIC_WEAK) == BiometricManager.BIOMETRIC_SUCCESS
+      val hasBiometry = hasStrongBiometrics || hasWeakBiometrics
 
       val keyguard = context.getSystemService<KeyguardManager>()
       val deviceCredential = keyguard?.isDeviceSecure == true
@@ -50,6 +50,7 @@ internal class SecurityAvailabilityResolver(private val context: Context) {
         secureEnclave = hasStrongBox,
         strongBox = hasStrongBox,
         biometry = hasBiometry,
+        strongBiometrics = hasStrongBiometrics,
         deviceCredential = deviceCredential
       )
       cached = snapshot

example/App.tsx

@@ -176,7 +176,11 @@ function ToggleRow({ label, helper, value, onValueChange }: ToggleRowProps) {
         onValueChange={onValueChange}
         trackColor={{ false: '#d1d5db', true: '#bfdbfe' }}
         thumbColor={
-          Platform.OS === 'android' ? (value ? '#2563eb' : '#f9fafb') : undefined
+          Platform.OS === 'android'
+            ? value
+              ? '#2563eb'
+              : '#f9fafb'
+            : undefined
         }
         ios_backgroundColor="#d1d5db"
       />
@@ -193,8 +197,6 @@ function App(): React.JSX.Element {
   const [includeValues, setIncludeValues] = useState(true);
   const [includeValueOnGet, setIncludeValueOnGet] = useState(true);
   const [iosSynchronizable, setIosSynchronizable] = useState(false);
-  const [androidBiometricsStrongOnly, setAndroidBiometricsStrongOnly] =
-    useState(false);
   const [usePrompt, setUsePrompt] = useState(true);
   const [keychainGroup, setKeychainGroup] = useState('');
   const [availability, setAvailability] = useState<SecurityAvailability | null>(
@@ -222,9 +224,6 @@ function App(): React.JSX.Element {
       accessControl: selectedAccessControl,
       iosSynchronizable: iosSynchronizable ? true : undefined,
       keychainGroup: normalizedKeychainGroup,
-      androidBiometricsStrongOnly: androidBiometricsStrongOnly
-        ? true
-        : undefined,
       authenticationPrompt: usePrompt
         ? {
             title: 'Authenticate to continue',
@@ -236,7 +235,6 @@ function App(): React.JSX.Element {
         : undefined,
     }),
     [
-      androidBiometricsStrongOnly,
       iosSynchronizable,
       normalizedKeychainGroup,
       normalizedService,
@@ -401,9 +399,9 @@ function App(): React.JSX.Element {
         <View style={styles.banner}>
           <Text style={styles.bannerTitle}>Tip for hardware testing</Text>
           <Text style={styles.bannerText}>
-            Simulators rarely expose Secure Enclave, StrongBox, or full biometric
-            flows. Validate critical journeys on a physical device to mirror
-            production behaviour.
+            Simulators rarely expose Secure Enclave, StrongBox, or full
+            biometric flows. Validate critical journeys on a physical device to
+            mirror production behaviour.
           </Text>
         </View>
 
@@ -507,7 +505,7 @@ function App(): React.JSX.Element {
           subtitle="Tune access control, prompts, and cross-platform behaviour"
         >
           <View style={styles.accessOptionsContainer}>
-            {ACCESS_CONTROL_OPTIONS.map((option) => {
+            {ACCESS_CONTROL_OPTIONS.map(option => {
               const selected = option.value === selectedAccessControl;
               return (
                 <Pressable
@@ -561,12 +559,6 @@ function App(): React.JSX.Element {
             value={iosSynchronizable}
             onValueChange={setIosSynchronizable}
           />
-          <ToggleRow
-            label="Require strong biometrics (Android)"
-            helper="Limits authentication to Class 3 credentials where available."
-            value={androidBiometricsStrongOnly}
-            onValueChange={setAndroidBiometricsStrongOnly}
-          />
 
           <Field
             label="Shared keychain access group"
@@ -631,7 +623,7 @@ function App(): React.JSX.Element {
               Nothing stored yet. Save a secret to see it appear here.
             </Text>
           ) : (
-            items.map((item) => (
+            items.map(item => (
               <View key={`${item.service}-${item.key}`} style={styles.itemCard}>
                 <Text style={styles.itemTitle}>{item.key}</Text>
                 <Text style={styles.itemMeta}>Service · {item.service}</Text>
@@ -649,7 +641,8 @@ function App(): React.JSX.Element {
                     Backend · {item.metadata.backend}
                   </Text>
                   <Text style={styles.itemRow}>
-                    Stored at · {new Date(item.metadata.timestamp * 1000).toLocaleString()}
+                    Stored at ·{' '}
+                    {new Date(item.metadata.timestamp * 1000).toLocaleString()}
                   </Text>
                 </View>
               </View>

src/index.ts

@@ -47,7 +47,6 @@ function resolveOptions(options?: SensitiveInfoOptions): SensitiveInfoOptions {
     accessControl: options.accessControl ?? DEFAULT_ACCESS_CONTROL,
     iosSynchronizable: options.iosSynchronizable,
     keychainGroup: options.keychainGroup,
-    androidBiometricsStrongOnly: options.androidBiometricsStrongOnly,
     authenticationPrompt: options.authenticationPrompt,
   }
 }

src/views/sensitive-info.nitro.ts

@@ -56,7 +56,8 @@ export interface AuthenticationPrompt {
  *
  * `iosSynchronizable`, `keychainGroup`, and the access-control options apply to every Apple
  * platform (iOS, macOS, visionOS, watchOS) even if the field name still mentions iOS for
- * backwards compatibility.
+ * backwards compatibility. On Android, strong (Class 3) biometrics are enforced automatically
+ * whenever the hardware supports them, gracefully falling back to the strongest available guard.
  */
 export interface SensitiveInfoOptions {
   /** Namespaces the stored entry. Defaults to the bundle identifier (when available) or `default`. */
@@ -70,8 +71,6 @@ export interface SensitiveInfoOptions {
    * strongest supported strategy (Secure Enclave ➝ Biometry ➝ Device Credential ➝ None).
    */
   readonly accessControl?: AccessControl
-  /** Android: opt-in to strict hardware-backed biometrics (skips weak face unlock for example). */
-  readonly androidBiometricsStrongOnly?: boolean
   /** Optional prompt strings displayed when user presence is required to open the key. */
   readonly authenticationPrompt?: AuthenticationPrompt
 }