Apply suggestions from documentation review

Co-authored-by: Sam Browning <[email protected]>

Author: joefarebrother

java/ql/src/Security/CWE/CWE-287/AndroidInsecureKeys.qhelp

@@ -5,9 +5,9 @@
 
 <overview>
 <p>
-Biometric authentication such as fingerprint recognition can be used alongside cryptographic keys stored in the Android <code>KeyStore</code> to protect sensitive parts of the application. However, 
-when a key generated for this purpose has certain parameters set insecurely, it can allow an attacker with physical access to bypass the 
-authentication check, using application hooking tools such as Frida.
+Biometric authentication, such as fingerprint recognition, can be used alongside cryptographic keys stored in the Android <code>KeyStore</code> to protect sensitive parts of the application. However, 
+when a key generated for this purpose has certain parameters set insecurely, an attacker with physical access can bypass the 
+authentication check using application hooking tools such as Frida.
 </p>
 </overview>
 
@@ -16,9 +16,9 @@ authentication check, using application hooking tools such as Frida.
 When generating a key for use with biometric authentication, ensure that the following parameters of <code>KeyGenParameterSpec.Builder</code> are set:
 </p>
 <ul>
-<li><code>setUserAuthenticationRequired</code> should be set to <code>true</code>; otherwise the key can be used without user authentication.</li>
-<li><code>setInvalidatedByBiometricEnrollment</code> should be set to <code>true</code> (the default); otherwise an attacker can use the key by enrolling additional biometrics on the device.</li>
-<li><code>setUserAuthenticationValidityDurationSeconds</code>, if used, should be set to <code>-1</code>; otherwise non-biometric (less secure) credentials can be used to access the key. <code>setUserAuthenticationParameters</code> is instead recommended to explicitly set both the timeout and the types of credentials that may be used.</li>
+<li><code>setUserAuthenticationRequired</code> should be set to <code>true</code>; otherwise, the key can be used without user authentication.</li>
+<li><code>setInvalidatedByBiometricEnrollment</code> should be set to <code>true</code> (the default); otherwise, an attacker can use the key by enrolling additional biometrics on the device.</li>
+<li><code>setUserAuthenticationValidityDurationSeconds</code>, if used, should be set to <code>-1</code>; otherwise, non-biometric (less secure) credentials can be used to access the key. We recommend using <code>setUserAuthenticationParameters</code> instead to explicitly set both the timeout and the types of credentials that may be used.</li>
 </ul>
 
 </recommendation>
@@ -33,10 +33,10 @@ When generating a key for use with biometric authentication, ensure that the fol
 
 <references>
 <li>
-WithSecure: <a href="https://labs.withsecure.com/publications/how-secure-is-your-android-keystore-authentication">How Secure is your Android Keystore Authentication?</a>
+WithSecure: <a href="https://labs.withsecure.com/publications/how-secure-is-your-android-keystore-authentication">How Secure is your Android Keystore Authentication?</a>.
 </li>
 <li>
-Android Developers: <a href="https://developer.android.com/reference/android/security/keystore/KeyGenParameterSpec.Builder">KeyGenParameterSpec.Builder</a>
+Android Developers: <a href="https://developer.android.com/reference/android/security/keystore/KeyGenParameterSpec.Builder">KeyGenParameterSpec.Builder</a>.
 </li>
 
 </references>

java/ql/src/Security/CWE/CWE-287/AndroidInsecureKeys.ql

@@ -1,6 +1,6 @@
 /**
  * @name Insecurely generated keys for local authentication
- * @description Keys used for local biometric authentication should be generated with secure parameters.
+ * @description Generation of keys with insecure parameters for local biometric authentication can allow attackers with physical access to bypass authentication checks.
  * @kind problem
  * @problem.severity warning
  * @security-severity 4.4