Insecure biometric class used dexguard issue from firebase

Question

I am integrating appsweep on my Application. While building the application and put it in Appsweep for testing I found Insecure biometric class used which shows from androidx.core.hardware.fingerprint.FingerprintManagerCompat,

I tried by adding the below line of codes on my dexguard rules, but its not working for me.

-keep class -dontwarn androidx.core.hardware.fingerprint.**
-dontwarn -dontwarn androidx.core.hardware.fingerprint.**

Answer 1

The finding you are seeing is very likely a false positive, since the FingerprintManagerCompat class in question is actually not being used to check actual biometric fingerprints but instead is trying to identify the hardware of the device. The AppSweep team is aware of this now and we are looking into this. Thank you for pointing it out!

As far as the second part of your question goes: In cases like these, where you think a finding is a false positive or otherwise not relevant, the most efficient way of handling this is doing the following two steps:

1. Clicking on the little message bubble icon on the top right corner of the finding card, which allows you to send us feedback about the finding, for example that you believe it is a false positive. That way we are immediately notified of it and will look into this.
2. To hide it from your findings, click on the "crossed-out eye" icon next to the message bubble icon, which allows you to suppress this specific finding. This will result in the finding being hidden in the current scan and also in future scans of this app. Additionally, similar to the feedback button, suppressions are also something that we are notified about, so if we see that certain findings that are suppressed rather often or look like false positives, we'll also act on that.

The DexGuard rules you mentioned are completely separate from AppSweep, so adding any rules there won't suppress findings in AppSweep.

If you would like to ask any more questions or just want to talk, also feel free to use the chat function inside AppSweep itself, in the lower right corner of the browser window!