Biometric injection overview

Biometric injection, also referred to as biometric testing, is a key subcategory of sensor testing focused on ensuring app security by simulating user authentication through fingerprint and facial recognition. These simulations allow testers to validate how applications respond to biometric authentication events (both successful and failed) without needing to physically interact with the device.

Biometric testing is ideal for validating:

• Login and secure access workflows

• App behavior when authentication fails or is canceled

• Error handling for lockouts and fallback scenarios

• Conditional flows based on authentication results

Biometric injection is supported across manual, automation, and Scriptless Mobile testing.

Perfecto supports fingerprint injection on available Android devices and Face ID injection on available iOS devices.

Biometric injection requirements

• Face ID injection requires iPhone X or later

• Automation testing: An application identifier is required: BundleID for iOS or PackageName for Android.

Biometric injection limitations

• Automation testing: Perfecto does not support devices running iOS 15 or later that are locked with a passcode. On such devices, Perfecto's sensor instrumentation simulates the device's behavior as if it was locked with a passcode, allowing for sensor authentication testing.

• Face ID injection: Not currently supported on Android devices.

• Fingerprint injection: 

  • Not supported on the available iOS devices (they support Face ID)

  • Not supported for applications created with the Xamarin environment when using the Secure Keychain interface library.

  • Not designed to test the mobile OS behavior but rather to test how an app responds to various authentication results. For example, each mobile OS may decide to lock the user out of subsequent authentication attempts after a certain number of failed attempts. However, when using this feature, authentication does not go through the OS itself. Therefore, the automatic OS behavior will not apply. To test how the app responds to a case where the user has been locked out, Perfecto supports injecting this error code explicitly using the fingerprint injection command.

Generic test steps for biometric authentication

When testing or automating an application that uses face ID or fingerprint authentication, either manually or as part of an automation script, follow these steps:

1. Select the device on which to run the application. Be sure that the device selected supports the desired authentication feature.

2. Install the application onto the device. Use Perfecto's sensor instrumentation to prepare the application for testing/automation.

3. Start the application.

4. When the application reaches the point of authentication (that is when the authentication dialog box opens), do the following:

   • If testing manually or using Scriptless Mobile, trigger the desired authentication result by using the options available with the fingerprint/face ID option. For more information, see Inject biometric data (manual testing) or Inject biometric data (Scriptless Mobile).

   • If using automation, invoke the Set sensor authentication command to supply the authentication response.

5. Make sure that the application has responded to the authentication result as expected.

Possible error messages

The following error messages may appear during biometric injection:

• Target application is not instrumented: Appears if you activate the injection when the active application is not instrumented for sensor authentication simulation.

• Operation timed out: Appears if you activate the injection when the application is not accessing the sensor reader.

• Fingerprint command not supported: Appears if the device does not support the sensor reader hardware or is running a version of the device OS that does not support the functionality.

• BACKEND_FAILURE_ERROR: setSensorAuthentication command failed. Reason: handset server: Connection error: Appears if you have multiple applications with sensor instrumentation open.

Special considerations for iOS devices

When the application is instrumented with biometric sensor instrumentation, the OS does not prompt the user to provide authentication, and Perfecto intercedes and provides the following prompt: "Touch ID authentication. Activate the Perfecto Face ID command"

In the past, devices were expected to undergo an enrollment procedure to enable biometric instrumentation. This is no longer mandatory. Devices that were enrolled in the past may remain as they are.

Perfecto's iOS biometric implementation currently does not support the scenarios described in the following table.

Scenario	Workaround
The app is moved to the background during an authentication command.	None
Enrolled devices only: The OS authentication prompt is canceled.	To simulate how the app responds in this situation, explicitly inject userCancel.
Enrolled devices only: The OS message “Try Face ID / Touch ID again” appears.	None. This does not affect the app because it does not receive any notification from the OS when this message is displayed
Enrolled devices only: The OS message "Reached max failed authentication attempts" appears.	To simulate how the app responds in this situation, explicitly inject lockout.

Special considerations for Android devices

On Android, Perfecto supports injecting a fingerprint into apps using the legacy Fingerprint API as well as the newer Biometric API.

When injecting fingerprint authentication results into the app, the app behavior varies according to the API used:

• For apps using the Fingerprint API, the normal app/OS authentication pop-up window will appear.
• For apps using the Biometric API, due to technical reasons, a custom Perfecto pop-up window similar to the original OS pop-up window is used to indicate that authentication is needed. When fingerprint injection fails, a text message indicates the result.
• To test how the app responds when a user has been locked out, you can inject the error code explicitly by using the fingerprint injection command with the errorType parameter set to Lock Out. For more information, see Set fingerprint.

Where to go from here?

To perform biometric injection, check out the following articles:

• Manual testing: Inject biometric data

• Scriptless testing: Inject biometric data

• Automation testing: Inject biometric data with Appium

  Perfecto extension: Set fingerprint (FR)