From 61ab66c761306c08cef2be4e9e686318c0c1a0fc Mon Sep 17 00:00:00 2001
From: urikdev <hello@urik.io>
Date: Sat, 21 Mar 2026 08:59:24 -0500
Subject: [PATCH] Fix CodeQL security warnings in biometric

---
 .../keyboard/data/database/DatabaseSecurityManager.kt     | 3 +++
 .../keyboard/settings/privacydata/PrivacyDataFragment.kt  | 8 ++++----
 2 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/app/src/main/java/com/urik/keyboard/data/database/DatabaseSecurityManager.kt b/app/src/main/java/com/urik/keyboard/data/database/DatabaseSecurityManager.kt
index 2aa704a..da3e61a 100644
--- a/app/src/main/java/com/urik/keyboard/data/database/DatabaseSecurityManager.kt
+++ b/app/src/main/java/com/urik/keyboard/data/database/DatabaseSecurityManager.kt
@@ -144,6 +144,9 @@ class DatabaseSecurityManager(private val context: Context) {
                     setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_NONE)
                     setKeySize(256)
                     setUserAuthenticationRequired(false)
+                    if (android.os.Build.VERSION.SDK_INT >= android.os.Build.VERSION_CODES.P) {
+                        setUnlockedDeviceRequired(true)
+                    }
                 }.build()
 
         keyGenerator.init(keyGenParameterSpec)
diff --git a/app/src/main/java/com/urik/keyboard/settings/privacydata/PrivacyDataFragment.kt b/app/src/main/java/com/urik/keyboard/settings/privacydata/PrivacyDataFragment.kt
index ad54126..8bb5fb5 100644
--- a/app/src/main/java/com/urik/keyboard/settings/privacydata/PrivacyDataFragment.kt
+++ b/app/src/main/java/com/urik/keyboard/settings/privacydata/PrivacyDataFragment.kt
@@ -342,7 +342,7 @@ class PrivacyDataFragment : PreferenceFragmentCompat() {
     } catch (_: KeyPermanentlyInvalidatedException) {
         regenerateKeyAndCreateCryptoObject()
     } catch (_: Exception) {
-        null
+        regenerateKeyAndCreateCryptoObject()
     }
 
     private fun regenerateKeyAndCreateCryptoObject(): BiometricPrompt.CryptoObject? = try {
@@ -369,8 +369,8 @@ class PrivacyDataFragment : PreferenceFragmentCompat() {
                 BIOMETRIC_KEY_ALIAS,
                 KeyProperties.PURPOSE_ENCRYPT
             )
-                .setBlockModes(KeyProperties.BLOCK_MODE_CBC)
-                .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_PKCS7)
+                .setBlockModes(KeyProperties.BLOCK_MODE_GCM)
+                .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_NONE)
                 .setUserAuthenticationRequired(true)
                 .setInvalidatedByBiometricEnrollment(true)
                 .build()
@@ -388,7 +388,7 @@ class PrivacyDataFragment : PreferenceFragmentCompat() {
 
     companion object {
         private const val BIOMETRIC_KEY_ALIAS = "urik_learned_words_biometric_key"
-        private const val CIPHER_TRANSFORMATION = "AES/CBC/PKCS7Padding"
+        private const val CIPHER_TRANSFORMATION = "AES/GCM/NoPadding"
         private val BIOMETRIC_CHALLENGE = byteArrayOf(0)
     }
 }