Update Android Biometrics MASTG-KNOW-0001 and MASTG-BEST-0031

[cpholguera]

Please update MASTG-KNOW-0001 and MASTG-BEST-0031

and ensure:

• they follow out guidelines from .github/instructions/
• they contain up-to-date content, APIs and guidance
• in knowledge articles, explicitly mark things as deprecated or outdated and keep it short for them with references to the android docs or relevant articles. We won't cover that in tests/demos or best practices. It's ok to mention old behaviour when highlighting benefits of using the modern approaches though.
• they are aligned with our tests and demos. If the tests/demos contain any knowledge that's missing here please add it.
  • MASTG-TEST-0326 to MASTG-TEST-0330
  • MASTG-DEMO-0089 to MASTG-DEMO-0093

Evaluate if it's better to add separate best practice articles or put all best practices in MASTG-BEST-0031. Ensure that all those tests are correctly linked to a best practice article.

Here are some drafts that can be used for the update (carefully validate before adding any new content from here):

MASTG-KNOW-0001

Android provides platform support for biometric authentication, such as fingerprint and face recognition, and exposes it to apps through the biometric APIs. At the framework level, Android includes support for face and fingerprint authentication, and device implementations can also support other biometric modalities. Biometric integration on Android is classified by biometric security, not only by modality. ([Android Open Source Project](https://source.android.com/docs/security/features/biometric), [Android Developers](https://developer.android.com/identity/sign-in/biometric-auth))

For app development, the recommended API surface is the Jetpack Biometric library, `androidx.biometric`. This library provides compatibility wrappers around the platform biometric APIs and expands on the deprecated `FingerprintManager` API, with support back to Android 6.0, API level 23. ([Android Developers](https://developer.android.com/identity/sign-in/biometric-auth), [Android Developers](https://developer.android.com/jetpack/androidx/releases/biometric))

<img src="Images/Chapters/0x05f/biometricprompt-architecture.png" width="70%" />

## Main APIs

Android biometric authentication is typically built around the following components.

### BiometricPrompt

`BiometricPrompt` displays a system provided authentication dialog and returns the authentication result to the app. The prompt UI is rendered by the system, which gives apps a consistent interface across devices and biometric modalities. ([Android Developers](https://developer.android.com/identity/sign-in/biometric-auth))

`BiometricPrompt` can be used with a `PromptInfo` object to configure the dialog title, subtitle, allowed authenticators, and whether explicit confirmation is requested after a passive biometric is accepted. ([Android Developers](https://developer.android.com/identity/sign-in/biometric-auth))

### BiometricManager

`BiometricManager` is used to query whether the requested authenticators are available and usable on the device. With the Jetpack library and newer platform APIs, this check is performed with `canAuthenticate(int)`, using one or more authenticator constants. ([Android Developers](https://developer.android.com/jetpack/androidx/releases/biometric), [Android Developers](https://developer.android.com/identity/sign-in/biometric-auth))

### FingerprintManager

`FingerprintManager` was the earlier fingerprint specific API. It has been deprecated in favor of the biometric APIs and is superseded by the Jetpack Biometric library. ([Android Developers](https://developer.android.com/identity/sign-in/biometric-auth))

## Authenticator Types

Android lets apps declare which authenticator types they support through `BiometricManager.Authenticators` and `BiometricPrompt.PromptInfo.Builder.setAllowedAuthenticators()`. The main constants are: ([Android Developers](https://developer.android.com/identity/sign-in/biometric-auth))

- `BIOMETRIC_STRONG`, authentication using a Class 3 biometric.
- `BIOMETRIC_WEAK`, authentication using a Class 2 biometric.
- `DEVICE_CREDENTIAL`, authentication using the device screen lock credential, such as PIN, pattern, or password.

Apps can allow a single authenticator type or a bitwise combination of compatible types, for example `BIOMETRIC_STRONG | DEVICE_CREDENTIAL`. The supported combinations depend on platform version and device capabilities. ([Android Developers](https://developer.android.com/identity/sign-in/biometric-auth), [Android Developers](https://developer.android.com/jetpack/androidx/releases/biometric))

To use biometric authenticators, the user must first have a secure device credential configured. If none is configured, the biometric enrollment flow prompts the user to create one. ([Android Developers](https://developer.android.com/identity/sign-in/biometric-auth))

## Authentication Flows

From an API perspective, local authentication flows on Android generally appear in two forms.

### Prompt Based Authentication

In a prompt based flow, the app displays `BiometricPrompt` and receives a success, failure, or error callback. The prompt may be configured to accept biometrics only, device credentials only, or a combination of allowed authenticators. ([Android Developers](https://developer.android.com/identity/sign-in/biometric-auth))

### Keystore Backed Authentication

Android Keystore can associate key usage with user authentication requirements. In this model, an app generates or imports a key into the Android Keystore, defines how and when the key may be used, and then uses `BiometricPrompt` to authorize a cryptographic operation through a `CryptoObject`. ([Android Developers](https://developer.android.com/privacy-and-security/keystore), [Android Developers](https://developer.android.com/identity/sign-in/biometric-auth))

The Android Keystore system stores key material in a way that makes extraction more difficult, keeps key material non exportable, and can bind key material to secure hardware such as a Trusted Execution Environment or Secure Element when supported by the device. The Keystore also lets apps define authorizations for key usage, including user authentication requirements. ([Android Developers](https://developer.android.com/privacy-and-security/keystore))

`BiometricPrompt.CryptoObject` can wrap cryptographic primitives such as `Cipher`, `Signature`, or `Mac` instances so that the authenticated result is tied to a specific cryptographic operation. ([Android Developers](https://developer.android.com/identity/sign-in/biometric-auth), [Android Developers](https://developer.android.com/jetpack/androidx/releases/biometric))

## Authentication Parameters in the Keystore

When creating a key with `KeyGenParameterSpec.Builder`, apps can define authentication related parameters for that key. Android supports configuring whether user authentication is required, which authenticator types are allowed, and whether authorization applies per use or for a time window. The newer API for this is `setUserAuthenticationParameters(int, int)`. `setUserAuthenticationValidityDurationSeconds(int)` is deprecated from API level 30. ([Android Developers](https://developer.android.com/reference/android/security/keystore/KeyGenParameterSpec.Builder), [Android Developers](https://developer.android.com/sdk/api_diff/30/changes/android.security.keystore.KeyGenParameterSpec.Builder))

The Keystore documentation also describes biometric enrollment behavior for biometric only keys. If a key only supports biometric credentials, the key is invalidated by default when new biometric enrollments are added, unless this behavior is changed with `setInvalidatedByBiometricEnrollment(false)`. ([Android Developers](https://developer.android.com/privacy-and-security/keystore))

## Device Credentials and Keyguard

Android also exposes device lock state and secure lock screen status through `KeyguardManager`, for example through `isDeviceLocked()` and `isDeviceSecure()`. These APIs describe device lock state and secure lock screen configuration. ([Android Developers](https://developer.android.com/reference/android/app/KeyguardManager))

Earlier confirm device credential flows based on `createConfirmDeviceCredentialIntent()` are part of the platform history, but that method was deprecated in API level 29 in favor of authenticator based configuration on `BiometricPrompt`. ([Android Developers](https://developer.android.com/reference/android/app/KeyguardManager), [Android Developers](https://developer.android.com/identity/sign-in/biometric-auth))

## Biometric Compatibility Library

The Jetpack Biometric library provides the compatibility layer most apps use in practice. It brings `BiometricPrompt`, `BiometricManager`, authenticator constants, and related APIs to older Android versions through AndroidX. Release notes also document version specific behavior, such as support for device credential authentication with a `CryptoObject` on Android 11 and higher. ([Android Developers](https://developer.android.com/jetpack/androidx/releases/biometric))

## Third Party SDKs

Some apps use third party SDKs that expose biometric features. On Android, biometric authentication is ultimately integrated with the platform biometric and Keystore infrastructure. Knowledge about a given SDK therefore usually depends on how it maps to the Android biometric APIs, authenticator classes, and Keystore backed cryptographic operations. ([Android Open Source Project](https://source.android.com/docs/security/features/biometric), [Android Developers](https://developer.android.com/privacy-and-security/keystore))

MASTG-BEST-0031

also add in metadata knowledge: [MASTG-KNOW-0001]

For sensitive operations protected by Android biometrics, configure `BiometricPrompt` to require `BIOMETRIC_STRONG` rather than allowing weaker biometric classes. Android defines `BIOMETRIC_STRONG` as authentication using a Class 3 biometric, while `BIOMETRIC_WEAK` corresponds to Class 2 biometric authentication. ([Android Developers](https://developer.android.com/identity/sign-in/biometric-auth))

When the operation is intended to be biometric only, do not include `DEVICE_CREDENTIAL` in the allowed authenticators. `DEVICE_CREDENTIAL` enables fallback to the device screen lock credential, such as PIN, pattern, or password, instead of requiring a biometric factor. ([Android Developers](https://developer.android.com/identity/sign-in/biometric-auth))

For operations that should remain tied to a cryptographic action, use `BiometricPrompt.authenticate()` with a `CryptoObject` backed by an Android Keystore key whose authentication policy is configured for the intended authenticators. This keeps the authentication result bound to the cryptographic operation rather than using the prompt only as a standalone event. ([Android Developers](https://developer.android.com/privacy-and-security/keystore), [Android Developers](https://developer.android.com/identity/sign-in/biometric-auth))

NOTE: These drafts use link notation like

For app development, the recommended API surface is the Jetpack Biometric library, `androidx.biometric`. This library provides compatibility wrappers around the platform biometric APIs and expands on the deprecated `FingerprintManager` API, with support back to Android 6.0, API level 23. ([Android Developers](https://developer.android.com/identity/sign-in/biometric-auth), [Android Developers](https://developer.android.com/jetpack/androidx/releases/biometric))

Don't use that format, prefer inline links like:

For app development, the recommended API surface is the [Jetpack Biometric library](https://developer.android.com/jetpack/androidx/releases/biometric), `androidx.biometric`...

And always ensure the links are valid.