So i dug alot deeper into the biometric verification and found some things out. the biometric verification alone is practically useless. all it returns is a yes no answer and no real biometric data. if we use it alone anyone can easily spoof it. what i came up is this approach where we combine biometric check along with hardware attestion.Android attestation: 1. Generate a play integrity token on the device with a hash consisting of the logged in user id (to prevent replay attacks) 2. Send the generated integrity token to the server 3. Server sends the token to google servers to verify it and decrypt the data - at this point, theres something called integrity verdict on android phones. - since android allows rooting, which basically grants u admin access to ur entire os. rooted phones have integrity verdict set to BASIC - this is highly unsafe as its not backed by hardware attestation - we need to reject this - for devices that arent rooted, the verdict is MEETS\_STRONG\_INTEGRITY which means the androids TEE (trusted execution environment) was used to generate the play integrity token. hence the device can be trusted. 1. If the data is correct and verdict is hardware backed. we can pass all the checksIOS Attestation: 1. it uses app attest to generate hardware backed attestion object - its in the X.509 certificate chain format. I need to look more into this but basically its something we can verify on server side through a public root certificate from apple - we can still use the userId to prevent replay 2. send it to the server 3. server verifies it by doing appropriate checks to verify X.509 certificate chains. again i need to look more into this