Android - invalidate Fingerprint authentication when user minimises app but not when when moving across activities

Question

I have an app in which fingerprint lock is used to protect the app from being used without first authenticating with the fingerprint. The issue is that the verification only happens at first launch of the app; so after first launch, no more verification until when the app is being launched again, But I want the current verification to be valid when moving across different activities in the app, but it should be invalidated if the user minimises the app or when the phone screen goes off, so that the user would be asked to verify fingerprint again after minimizing and resuming back into the app.

I have tried using a base activity and overriding the onPause and onResume, but the methods get called even when moving across activities, which is not what I want.

Answer 1

You can likely use the system broadcast intents ACTION_SCREEN_ON, ACTION_SCREEN_OFF, and/or ACTION_USER_PRESENT to achieve your goals. Check https://developer.android.com/reference/android/content/Intent for more on these.

To do so, register as a broadcast receiver to receive these notifications in your main activity onCreate, un-register in onDestroy. You can use these notifications to set flags indicating whether authentication is needed.

Example code:

    @Override
    protected void onCreate(Bundle savedInstanceState)
    {
    .
    .
    .
        // register to receive appropriate events

        IntentFilter intentUserPresent = new IntentFilter(Intent.ACTION_USER_PRESENT);
        intentUserPresent.addAction(Intent.ACTION_USER_PRESENT);
        registerReceiver(userActionReceiver, intentUserPresent);
        
    .
    .
    .
    }
    

    // create a BroadcastReceiver to receive the notifications
    private BroadcastReceiver userActionReceiver = new BroadcastReceiver()
    {
        @Override
        public void onReceive(Context context, Intent intent)
        {
            Log.d("MyLog", String.format("MainActivity received broadcaast %s", intent.toString()));

            if (intent.getAction() == Intent.ACTION_USER_PRESENT)
            {
               // set flag indicating re-authentication is needed
            }
        }
    };
    
    @Override
    protected void onDestroy()
    {
        // make sure to un-register the receiver!
        unregisterReceiver(userActionReceiver);
        super.onDestroy();
    }

This won't detect a user "minimizing the app", but its unclear why you would consider that re-authentication would be needed in this scenario. Lifecycle events onStart/onStop can detect background/foreground of an activity.