Let's break down why your AndroidX BiometricPrompt stops working after a Google Play update, and walk through actionable fixes based on your code and setup:

Key Potential Causes #

• Invalidated Keystore Keys: Biometric authentication relies on Android Keystore to bind credentials to your app. App updates can trigger key invalidation if your key setup doesn't account for security policies (like biometric enrollment changes or app signing consistency).
• SQLite Data Loss/Corruption: Even if you didn't explicitly migrate data, Google Play updates might accidentally reset your SQLite database (if stored in the wrong location) or your isBiometricAuthorized flag might be getting overwritten.
• Flawed Biometric Support Check: Your checkBiometricSupport method returns true for API 29+ unconditionally, which ignores cases where biometrics are unavailable (e.g., user deleted all fingerprints post-update).

Step-by-Step Fixes #

1. Fix the Biometric Support Check Logic #

Your current check skips proper validation for Android 10+. Replace checkBiometricSupport() with this robust implementation using BiometricManager:

private fun checkBiometricSupport(): Boolean {
    val biometricManager = BiometricManager.from(applicationContext)
    return when (biometricManager.canAuthenticate(BiometricManager.Authenticators.BIOMETRIC_STRONG or BiometricManager.Authenticators.DEVICE_CREDENTIAL)) {
        BiometricManager.BIOMETRIC_SUCCESS -> true
        BiometricManager.BIOMETRIC_ERROR_NO_HARDWARE,
        BiometricManager.BIOMETRIC_ERROR_HW_UNAVAILABLE,
        BiometricManager.BIOMETRIC_ERROR_NONE_ENROLLED -> false
        else -> false
    }
}

This accurately checks if the device has usable biometrics or device credentials, preventing failed authentication attempts due to unsupported hardware/settings.

2. Secure Keystore Key Management #

If you're binding login credentials to biometrics via Keystore, updates can invalidate existing keys. Ensure your key setup includes fallback logic to regenerate keys when needed:

private fun getOrCreateBiometricKey(): SecretKey {
    val keyStore = KeyStore.getInstance("AndroidKeyStore")
    keyStore.load(null)
    val keyAlias = "app_biometric_auth_key"

    return if (keyStore.containsAlias(keyAlias)) {
        // Retrieve existing key if valid
        keyStore.getKey(keyAlias, null) as SecretKey
    } else {
        // Generate new key if it doesn't exist
        val keyGenerator = KeyGenerator.getInstance(KeyProperties.KEY_ALGORITHM_AES, "AndroidKeyStore")
        val keySpec = KeyGenParameterSpec.Builder(keyAlias,
            KeyProperties.PURPOSE_ENCRYPT or KeyProperties.PURPOSE_DECRYPT)
            .setBlockModes(KeyProperties.BLOCK_MODE_GCM)
            .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_NONE)
            .setUserAuthenticationRequired(true)
            .setInvalidatedByBiometricEnrollment(true) // Invalidate if user adds/removes biometrics
            .build()
        keyGenerator.init(keySpec)
        keyGenerator.generateKey()
    }
}

After an update, if the key is invalid, this code regenerates it. You'll need to prompt users to re-enable biometric auth and rebind their login credentials.

3. Ensure SQLite Data Persists Post-Update #

• Verify your SQLite database is stored in the app's internal storage using context.getDatabasePath("your_database.db")—this directory is preserved during updates.
• Add a basic database migration handler to avoid accidental database reconstruction. Even if your schema hasn't changed, set a version number in SQLiteOpenHelper:

class AppDatabaseHelper(context: Context) : SQLiteOpenHelper(context, "user_db.db", null, 1) {
    override fun onCreate(db: SQLiteDatabase) {
        db.execSQL("CREATE TABLE IF NOT EXISTS users (id INTEGER PRIMARY KEY, username TEXT, isBiometricAuthorized BOOLEAN DEFAULT 0)")
    }

    override fun onUpgrade(db: SQLiteDatabase, oldVersion: Int, newVersion: Int) {
        // No schema changes? Leave this empty to avoid dropping tables during updates
    }
}

• After an update, log the value of isBiometricAuthorized to confirm it's still true. If it's reset, your database was likely recreated—fix the storage path or migration logic.

4. Avoid Cache-Dependent Biometric Data #

Google Play updates rarely clear internal app cache, but storing biometric configuration (like the enable flag) in cache is risky. Stick to SQLite or SharedPreferences for critical auth settings.

Debugging Tips #

• Add logs to track isBiometricAuthorized and checkBiometricSupport() results right after an update to narrow down if the issue is data-related or biometric support-related.
• Use adb logcat | grep Biometric to check for system-level errors (e.g., BiometricError codes) that might explain authentication failures.

内容的提问来源于stack exchange，提问作者Luis Felipe de Melo