What would be the best practice to decrypt data which encrypted by key using fingerprint scanner?

Question

I'm writing Android application using Java where user can sign up/sign in. After first successful authorization, application requires user to create pin code for quick access. This pin code contains 4 numbers. After pin code created I've got to save credentials used for authorization in encrypted form. What I do: after creating pin code, I ecrypt credentials using this pin code as ecryption key (actually lenght of pin code is not enough for AES, so I write to the String my pin code 4 times), then save this data in SharedPreferences, and encryption key (pin code) I also ecnrypt by this pin code. So when user while signing in entering his pin code, application tries to decrypt key using this pin code, then compares entered pin code and decrypted pin code, if they are equal (this means pin code is correct), application decrypts credentials using this pin code then does authorization. But now I've got to use fingerprint scanner to authorization. If user confirmed his identity using biometrics, I don't have any key to decrypt data. I used to brute force this pincode after successful confirmation, but it is not the best way to do. I could store saved pincode somewhere in the clear, but it is unsafe approach. I've read about KeyStore but it also needs some password to store. So what would be best practive to implement such logic?

Answer 1

It is extremely risky to simply encrypt using user provided key. Firstly, we decide which encryption algorithms to use. Depending on our algorithm, (I suggest at least AES128) we should generate a SecretKey using our provided string. We should also choose to add a salt string to our key. Then we encrypt our data using well established and vetted libraries. In case of fingerprinting, I would possibly use EncryptedSharedPreferences as described here: Best option to store username and password in android app in the 2nd answer.