Fingerprint Unlock Security: Google Android and Microsoft Hello

Using one’s fingerprint to unlock a mobile device with a touch is fast and convenient. But does it provide sufficient security? More importantly, does biometric unlock provide a level of security comparable to that of the more traditional PIN or passcode? As we found in the first article, Apple has managed to develop a comprehensive fingerprint unlock system that provides just enough security while offering a much greater convenience compared to traditional unlock methods. What’s up with that in the other camp?

Google Android 4.x through 5.1.1: No Fingerprint API

There is no lack of Android smartphones (but no tablets) that come with integrated fingerprint scanners. Samsung Galaxy S5, S6, S7, Motorola Moto Z, SONY Xperia Z5, LG G5, Huawei Ascend Mate 7 and newer flagships, Meizu Pro 5 and a plethora of other devices are using fingerprint scanners without proper support on the native API level.

That said, different manufacturers used very different… everything. From fingerprint scanner technology to authentication API, each of the many OEMs were inventing their own wheel, some of them square. No wonder this led to a number of security breaches. As an example, devices like HTC One Max and Samsung Galaxy S5 were susceptible to fingerprint data storage vulnerability that allowed the attacker to extract fingerprint data from device storage. HTX One Max was particularly sweet, storing the fingerprint image in an uncompressed, unencrypted and unprotected bitmap at /data/dbgraw.bmp. Developers didn’t bother assigning this files permissions other than 0666 (world readable), meaning that any process, even without root privileges, could easily read and extract fingerprints.

• Fingerprints On Mobile Devices: Abusing and Leaking (PDF)

Many more examples of bad implementations can be found with a simple Google query; we won’t bother listing them all. Let’s just say that hopes on having reasonably secure fingerprint authentication on pre-Marshmallow devices are likely unsubstantiated.

Android 6.0: The New Fingerprint API and Nexus Imprint

Since Android 5.0, Google started paying attention to security. Out-of-the box encryption on Nexus 6 (which didn’t work as fast as we hoped) was the first step in the right direction. Android 6.0 Marshmallow that followed was the first version of Android to come with native fingerprint API. Any devices released prior to Android 6.0 that came with fingerprint readers (e.g. Samsung Galaxy S5) used OEM-specific implementations.

Google Nexus 5x and 6p were the first devices running Android 6.0 that implemented the full fingerprint API. Google’s implementation is called Nexus Imprint (a trade name similar to Apple’s Touch ID).

• Google Nexus 6P security features examined (highly recommended)
• Android 6.0 APIs: Fingerprint Authentication
• How fingerprint scanners work: optical, capacitive, and ultrasonic variants explained

Below is an excerpt of Google’s official guidelines for OEMs implementing fingerprint unlock in their smartphones. Considering that this same document already requires OEMs to enable full-disk encryption out of the box, the end result should be quite decent security-wise (but not speed-wise, as we discovered in our previous research).

7.3.10. Fingerprint Sensor Device implementations with a secure lock screen SHOULD include a fingerprint sensor. If a device implementation includes a fingerprint sensor and has a corresponding API for third-party developers, it:

• MUST declare support for the android.hardware.fingerprint feature.
• MUST fully implement the corresponding API as described in the Android SDK documentation [Resources, 95].
• MUST have a false acceptance rate not higher than 0.002%.
• Is STRONGLY RECOMMENDED to have a false rejection rate not higher than 10%, and a latency from when the fingerprint sensor is touched until the screen is unlocked below 1 second, for 1 enrolled finger.
• MUST rate limit attempts for at least 30 seconds after 5 false trials for fingerprint verification.
• MUST have a hardware-backed keystore implementation, and perform the fingerprint matching in a Trusted Execution Environment (TEE) or on a chip with a secure channel to the TEE.
• MUST have all identifiable fingerprint data encrypted and cryptographically authenticated such that they cannot be acquired, read or altered outside of the Trusted Execution Environment (TEE) as documented in the implementation guidelines on the Android Open Source Project site [Resources, 96].
• MUST prevent adding a fingerprint without first establishing a chain of trust by having the user confirm existing or add a new device credential (PIN/pattern/password) using the TEE as implemented in the Android Open Source project.
• MUST NOT enable 3rd-party applications to distinguish between individual fingerprints.
• MUST honor the DevicePolicyManager.KEYGUARD_DISABLE_FINGERPRINT flag.
• MUST, when upgraded from a version earlier than Android 6.0, have the fingerprint data securely migrated to meet the above requirements or removed.
• SHOULD use the Android Fingerprint icon provided in the Android Open Source Project.

Source (PDF)

As we can see, Google sets both hardware and software requirements for OEMs to follow if they want to use Google Android in their devices. In our view, the most important points are:

• OEM’s must adhere to the new Android fingerprint API in full. Lousy implementations (as in Samsung Galaxy S5) are not allowed.
• Fingerprint data must be stored and authenticated inside of the Trusted Execution Environment.
• There must be a delay of at least 30 seconds between subsequent attempts after 5 unsuccessful trials.
• Adding or altering fingerprints must be preceded with PIN/pattern/password authentication.
• Most importantly, ALL devices equipped with fingerprint readers that are upgrading to Android 6.0 from MUST adhere to the new guidelines completely.

So, at least in theory, Android 6 smartphones should have a pretty straightforward implementation of fingerprint unlock. Which, however, does not mean that these systems cannot be fooled.

Android Smart Lock Helps Bypass Security

Android has always been lax on unlock security requirements. Your phone is just as secure as you allow it to be. Android Smart Lock is one system that can effectively bypass all other security measures when you are in a known location (e.g. at or around your home or office), or of the phone is connected to a known Bluetooth device, or if the phone detects it’s still in your pocket, or if you simply look at it in a certain way. Smart Lock is disabled by most concise security policies, but individual users are often suggested to use Smart Lock, which reduces the number of times they have to unlock their device.

• Set up your device for automatic unlock

Using Android Smart Lock in a lab may help experts access locked Android devices. Depending on how the user configured their phone, the device may be unlocked if:

• It is brought to a trusted location (such as the user’s home or office)
• The phone is connected to a known Bluetooth device (e.g. car audio or handsfree)
• The phone can recognize the user’s face (a print may or may not work depending on the version of Android and OEM implementation)

Note that Smart Lock is unavailable on devices that have been power-cycled or rebooted.

How Does It Compare?

Considering the above, how does Android implementation of fingerprint unlock compare to Apple Touch ID?

Apple’s implementation of fingerprint unlock was exemplary. Unfortunately, we cannot say the same for Android in general. “Widely inconsistent” would be the right term for describing the situation. While Google Nexus devices (namely, Nexus 5x and 6p) do have a proper and secure implementation of fingerprint unlock (Nexus Imprint), the market share of Nexus devices is extremely small. Other Android OEM’s may or may not have it nailed down. Without full-disk encryption (which is required out of the box on all high-end devices since Android 6.0 but was not on the table for older devices), any sort of lock screen security is pointless. With encryption enabled out of the box (as in Nexus 5x and 6p and all flagship devices running Android 6 out of the box), the current (Android 6.0) implementation offers a well thought through security model. At the same time, on those same devices (including Nexus 5x and 6p) Android Smart Lock can be configured in a way that renders the entire security model pointless.

Any Android devices that shipped with a fingerprint scanner prior to Android 6.0 (which was the first version of Android to include a native fingerprint API) may or (more likely) may not have a secure implementation of fingerprint unlock.

Finally, the sheer number and variety of Android devices led to a wide variety of technologies used for scanning fingerprints. Some of these technologies can be easily fooled, allowing attackers to bypass fingerprint unlock by presenting a fingerprint image.

Bonus Chapter: Windows 10 Hello

Not everyone knows, but there is also a third mobile platform on the market. Microsoft Windows 10 Mobile supports biometric unlock, yet Microsoft decided to make something different. Lumia 950 and 950 XL received a different form of biometric unlock: the ‘Hello’ system.

Windows Hello uses a depth-sensitive camera to scan the user’s iris, which is then used as a secure fingerprint to facilitate biometric login. Just looking into the camera of a Windows 10 Mobile device (currently, Microsoft Lumia 950 and 950 XL are the only devices supporting the feature) is enough to unlock the phone (http://windows.microsoft.com/en-us/windows-10/getstarted-about-windows-hello-mobile). Similar to Apple’s implementation, activating biometric identification and performing the initial unlock (after restarting or powering on the device) must be done with a PIN code. Subsequent unlocking can be made by looking into the camera.

Since there are so few Windows 10 Mobile devices around (and even fewer high-end 950-series devices), we are not aware of any serious security research performed on this login system. Can it be spoofed by showing a high-resolution photograph? We never tried.

More on Windows 10 Hello:

• How Secure Is Windows Hello?
• How the iris scanner on the Lumia 950 and 950 XL works