Fingerprints only ever part of the solution, whether Android or Apple

News by Davey Winder investigates the real value of biometric IDs, particularly fingerprints, on smartphones.

Fingerprint scanning on smartphones came under the spotlight at the Black Hat conference this year, with researchers highlighting vulnerabilities on certain Android devices - which places a question mark over the real security value of such biometric measures.

FireEye researchers discovered that HTC smartphones were storing data from fingerprint scans, necessary to enable biometric security on the devices, as unencrypted .bmp image files where any attacker could easily find them. The researchers point out, for example, that the HTC One Max X device stored the fingerprint as /data/dbgraw.bmp having a 0666 permission setting which equates to being 'world readable' and so any unprivileged process or app could read it at will. If that were not bad enough, every time the fingerprint sensor was used to unlock the handset or access a protected app then that bitmap file was refreshed.

As a consequence, an attacker would be able to collect every swipe the user made and so the chances of getting a good image that could be used for nefarious purposes was very high indeed.

HTC says it was just the HTC One Max that was vulnerable, and that vulnerability has now been fixed. However, the FireEye researchers insist that the fingerprint sensors used by vendors including HTC and Samsung are vulnerable courtesy of it being exposed to attackers. "Although the ARM architecture enables isolating critical peripherals from being accessed outside the TrustZone" they wrote "most vendors fail to utilise this feature to protect fingerprint sensors." Specific handsets said to be at risk included the HTC One Max and Samsung Galaxy S5, and both HTC and Samsung along with other as yet unidentified vendors are said to have rolled out fixes for this issue as well.

However, with support for fingerprint scanners being incorporated into Android, and services such as Android Pay and Apple Pay utilising fingerprints to secure payments, the biometric sensors along with the data they collect are sure to come under increasing scrutiny from cyber-criminals. So, the question is: are fingerprints up to scratch in the world of mobile security?

Adrian Sanabria, senior security analyst at 451 Research, reminds us that fingerprint scanners on mobiles have been introduced almost entirely for user convenience rather than strengthening the security posture of smartphones. "Apple even made a statement when releasing TouchID that it wasn't for security purposes, only as a convenience factor" Sanabria told SC, continuing "But Apple doesn't let you rely solely on a fingerprint for authentication, you still must have a passcode set as a backup."

David Baker, chief security officer at Okta, points to the more open approach of the Android platform as being problematical when it comes to this particular security issue. "There are over 18,000 Android devices and 26,000 unique Android instances out in the wild" he says "not only does the level of capability differ for the different hardware and software makers who leverage the Android OS, there isn't a comprehensive update solution for Android since there are so many device and software makers creating their own devices and systems." Which means that sometimes, when device makers leverage the Android platform, they don't put in place the level of security that Apple has put into their phones.

"HTC and Samsung were found to have several vulnerabilities including insecure storage of fingerprint data and the ability to embed a prefabricated fingerprint in a device" he concludes. All of which is something of a red herring according to Rafe Pilling, security researcher at Dell SecureWorks. Speaking to he said that while it's obvious that vendors and developers should focus on capturing and storing your biometric data securely and not store it in plain text on the device, consumers shouldn't expect a high-security biometric solution on a consumer grade device for their part. "That said" Pilling continued "using the available security features is much better than not, and will raise the bar for anyone that obtains your device and tries to access the contents. While it might be possible to by-pass a security control, that doesn't mean that it will be easy or common knowledge."

Apple appears to come out of all this quite well, it has to be said, so maybe the Android vendors could learn a thing or two from the TouchID implementation on iOS devices? TouchID doesn't store the actual fingerprint captured by the scan, but instead creates a series of geometric data points from the image. Apple explains the security process in technical detail in an iOS security white paper ( however the main thrust is the mathematical representation of your fingerprint cannot be reverse engineered into an actual fingerprint, and the advanced security architecture of the chip that is the Secure Enclave protects this. The data is encrypted and protected with a key available only to the Secure Enclave which is walled off from the rest of the chip, and the rest of iOS.

"That's part of what makes this so frustrating" Sanabria told us "other smartphone makers already had an example of a properly secure implementation available to them, but they still failed. It just looks like carelessness from a security researcher's point of view."

Fingerprint tech is still vulnerable to attack of course, just a different vector has to be applied. In the case of Apple that has been the 'theft' and cloning of fingerprints with various groups claiming success using an assortment of complex methods to achieve this. "Even though it is possible to spoof a fingerprint, it is very difficult to execute" Baker admits "and since the fingerprint is stored on the device, and not the server (and the phone and server talk to a secure intermediary) a hacker would have to individually and physically spoof each device one at a time by stealing actual fingerprints, and cannot access mass fingerprint data."

And that's the key point, although there are always ways around just about any method of securing access to a device, fingerprint represents a useful authentication option and certainly one that is better than nothing at all. "It's all about applying a pragmatic level of security to protect your device and data" concludes Rafe Pilling.

Better than nothing, yes; but what is better than fingerprint scanning for mobile devices? Are biometrics really the answer to mobile device and app security, or should we be looking at more traditional methods of authentication such as 2FA through code generation?

Adrian Sanabria reckons we should forget biometrics as not only can you not change them if, or rather when, they get comprised but also they are simply a poor choice for multi-factor authentication. "The systems we already have in place with token code generation works, and I think the industry will continue to stick with that" he says, although he does admit that the likes of Microsoft's two-factor approach is an interesting step forward. "Rather than make you type in a code, their app simply pops up an approve/deny notification on your phone" he explains, as soon as that choice is made then the target system responds accordingly. "In short" Sanabria concludes "this is analogous to the ongoing quantum encryption debate that keeps popping up: if what we have works, why would we keep trying to fix it?"

Ken Munro, senior partner at Pen Test Partners, agrees and worries that mobile users are getting used to fingerprint scanning as some kind of 1FA wonder authentication. "It works well if used in conjunction with other authentication" he points out, adding "but what we need to get our heads around is biometrics is not the natural successor to the password. We don't need a substitute for the password, it's actually very effective if well managed."

In other words, fingerprint scanners used in conjunction with other forms of ID work well and both benefit and become more robust by association. Dr Steven Furell, senior member of the IEEE and Professor of IT Security at the University of Plymouth, agrees that biometrics play a significant part when it comes to mobile device security specifically because of the convenience they can offer. "If you think about going down the 2FA route with code generation" he remarks "then you need to think about what device is going to generate the code. In many cases, people now use the mobile device itself to do this via an app, and so they won't welcome the prospect of having to carry a separate device to generate codes for accessing their smartphone."

Thomas Bostrøm Jørgensen, CEO at Encap Security, sums it up nicely for us: "Biometrics can never be the answer to mobile security, only ever part of the answer. A single authentication factor, no matter how secure, is always going to be vulnerable to attack. Authentication works best when a number of factors are used (PIN, location, behaviour, etc.) – and the factors used are contextually appropriate, and scale in relation to the risk of the activity taking place."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews