Fingerprint Unlock Security: Google Android and Microsoft Hello
Using one’s fingerprint to unlock a mobile device with a touch is fast and convenient. But does it provide sufficient security? More importantly, does biometric unlock provide a level of security comparable to that of the more traditional PIN or passcode? As we found in the first article, Apple has managed to develop a comprehensive fingerprint unlock system that provides just enough security while offering a much greater convenience compared to traditional unlock methods. What’s up with that in the other camp?
Google Android 4.x through 5.1.1: No Fingerprint API
There is no lack of Android smartphones (but no tablets) that come with integrated fingerprint scanners. Samsung Galaxy S5, S6, S7, Motorola Moto Z, SONY Xperia Z5, LG G5, Huawei Ascend Mate 7 and newer flagships, Meizu Pro 5 and a plethora of other devices are using fingerprint scanners without proper support on the native API level.
That said, different manufacturers used very different… everything. From fingerprint scanner technology to authentication API, each of the many OEMs were inventing their own wheel, some of them square. No wonder this led to a number of security breaches. As an example, devices like HTC One Max and Samsung Galaxy S5 were susceptible to fingerprint data storage vulnerability that allowed the attacker to extract fingerprint data from device storage. HTX One Max was particularly sweet, storing the fingerprint image in an uncompressed, unencrypted and unprotected bitmap at /data/dbgraw.bmp. Developers didn’t bother assigning this files permissions other than 0666 (world readable), meaning that any process, even without root privileges, could easily read and extract fingerprints.
Many more examples of bad implementations can be found with a simple Google query; we won’t bother listing them all. Let’s just say that hopes on having reasonably secure fingerprint authentication on pre-Marshmallow devices are likely unsubstantiated.
Android 6.0: The New Fingerprint API and Nexus Imprint
Since Android 5.0, Google started paying attention to security. Out-of-the box encryption on Nexus 6 (which didn’t work as fast as we hoped) was the first step in the right direction. Android 6.0 Marshmallow that followed was the first version of Android to come with native fingerprint API. Any devices released prior to Android 6.0 that came with fingerprint readers (e.g. Samsung Galaxy S5) used OEM-specific implementations.
Google Nexus 5x and 6p were the first devices running Android 6.0 that implemented the full fingerprint API. Google’s implementation is called Nexus Imprint (a trade name similar to Apple’s Touch ID).
- Google Nexus 6P security features examined (highly recommended)
- Android 6.0 APIs: Fingerprint Authentication
- How fingerprint scanners work: optical, capacitive, and ultrasonic variants explained
Below is an excerpt of Google’s official guidelines for OEMs implementing fingerprint unlock in their smartphones. Considering that this same document already requires OEMs to enable full-disk encryption out of the box, the end result should be quite decent security-wise (but not speed-wise, as we discovered in our previous research).
7.3.10. Fingerprint Sensor Device implementations with a secure lock screen SHOULD include a fingerprint sensor. If a device implementation includes a fingerprint sensor and has a corresponding API for third-party developers, it:
- MUST declare support for the android.hardware.fingerprint feature.
- MUST fully implement the corresponding API as described in the Android SDK documentation [Resources, 95].
- MUST have a false acceptance rate not higher than 0.002%.
- Is STRONGLY RECOMMENDED to have a false rejection rate not higher than 10%, and a latency from when the fingerprint sensor is touched until the screen is unlocked below 1 second, for 1 enrolled finger.
- MUST rate limit attempts for at least 30 seconds after 5 false trials for fingerprint verification.
- MUST have a hardware-backed keystore implementation, and perform the fingerprint matching in a Trusted Execution Environment (TEE) or on a chip with a secure channel to the TEE.
- MUST have all identifiable fingerprint data encrypted and cryptographically authenticated such that they cannot be acquired, read or altered outside of the Trusted Execution Environment (TEE) as documented in the implementation guidelines on the Android Open Source Project site [Resources, 96].
- MUST prevent adding a fingerprint without first establishing a chain of trust by having the user confirm existing or add a new device credential (PIN/pattern/password) using the TEE as implemented in the Android Open Source project.
- MUST NOT enable 3rd-party applications to distinguish between individual fingerprints.
- MUST honor the DevicePolicyManager.KEYGUARD_DISABLE_FINGERPRINT flag.
- MUST, when upgraded from a version earlier than Android 6.0, have the fingerprint data securely migrated to meet the above requirements or removed.
- SHOULD use the Android Fingerprint icon provided in the Android Open Source Project.
As we can see, Google sets both hardware and software requirements for OEMs to follow if they want to use Google Android in their devices. In our view, the most important points are:
- OEM’s must adhere to the new Android fingerprint API in full. Lousy implementations (as in Samsung Galaxy S5) are not allowed.
- Fingerprint data must be stored and authenticated inside of the Trusted Execution Environment.
- There must be a delay of at least 30 seconds between subsequent attempts after 5 unsuccessful trials.
- Adding or altering fingerprints must be preceded with PIN/pattern/password authentication.
- Most importantly, ALL devices equipped with fingerprint readers that are upgrading to Android 6.0 from MUST adhere to the new guidelines completely.
So, at least in theory, Android 6 smartphones should have a pretty straightforward implementation of fingerprint unlock. Which, however, does not mean that these systems cannot be fooled.
Android Smart Lock Helps Bypass Security
Android has always been lax on unlock security requirements. Your phone is just as secure as you allow it to be. Android Smart Lock is one system that can effectively bypass all other security measures when you are in a known location (e.g. at or around your home or office), or of the phone is connected to a known Bluetooth device, or if the phone detects it’s still in your pocket, or if you simply look at it in a certain way. Smart Lock is disabled by most concise security policies, but individual users are often suggested to use Smart Lock, which reduces the number of times they have to unlock their device.
Using Android Smart Lock in a lab may help experts access locked Android devices. Depending on how the user configured their phone, the device may be unlocked if:
- It is brought to a trusted location (such as the user’s home or office)
- The phone is connected to a known Bluetooth device (e.g. car audio or handsfree)
- The phone can recognize the user’s face (a print may or may not work depending on the version of Android and OEM implementation)
Note that Smart Lock is unavailable on devices that have been power-cycled or rebooted.
How Does It Compare?
Considering the above, how does Android implementation of fingerprint unlock compare to Apple Touch ID?
Apple’s implementation of fingerprint unlock was exemplary. Unfortunately, we cannot say the same for Android in general. “Widely inconsistent” would be the right term for describing the situation. While Google Nexus devices (namely, Nexus 5x and 6p) do have a proper and secure implementation of fingerprint unlock (Nexus Imprint), the market share of Nexus devices is extremely small. Other Android OEM’s may or may not have it nailed down. Without full-disk encryption (which is required out of the box on all high-end devices since Android 6.0 but was not on the table for older devices), any sort of lock screen security is pointless. With encryption enabled out of the box (as in Nexus 5x and 6p and all flagship devices running Android 6 out of the box), the current (Android 6.0) implementation offers a well thought through security model. At the same time, on those same devices (including Nexus 5x and 6p) Android Smart Lock can be configured in a way that renders the entire security model pointless.
Any Android devices that shipped with a fingerprint scanner prior to Android 6.0 (which was the first version of Android to include a native fingerprint API) may or (more likely) may not have a secure implementation of fingerprint unlock.
|Apple iOS Touch ID||Android 4.4-5.1.1||Android 6.0 – 7.0|
|Passcode required after cold boot||OEM-dependent, most devices can be unlocked with a fingerprint after cold boot||No set requirements, OEMs are allowed to build devices that can be unlocked with a fingerprint after cold boot|
|Touch ID expires after 48 hours (or after 6 hours if not unlocked with a passcode during the last 24 hours)||Fingerprint unlock never expires||No set requirements on fingerprint unlock expiry. Most devices can be unlocked with a fingerprint after extended periods of idling/storage.|
|Adding a fingerprint requires passcode authentication (must enter the correct passcode before registering or altering fingerprints)||No set requirements. In some devices, fingerprints could be registered on unlocked devices without entering the passcode.||Similar to Touch ID, must authenticate with passcode/pattern/PIN before registering fingerprints.|
|Hardware-backed storage (Secure Enclave)||Basically, a joke. Some devices stored fingerprints as user-accessible files. Some OEMs were using ARM TrustZone implementation, and some not.||Hardware-backed storage (Trusted Execution Environment) mandated for all devices running Android 6.0 out of the box or upgrading to Android 6.0|
|A compromised kernel (e.g. jailbreak) does not expose encrypted data until the device is unlocked with a passcode.||A compromised kernel (e.g. root, unlocked bootloader, custom recovery) exposes complete access to everything.||A compromised kernel still leads to a compromised security model, allowing bypassing screen lock and decrypting device content.|
|Each Touch ID sensor is individually paired with Secure Enclave. Unauthorized replacement of the Home button renders Touch ID unusable (users must authenticate with passcode only).||Nothing like that. Any compatible sensor would do the trick.||No set requirements in Android 6.0 specifications. Any replacement sensor would do the trick.|
|Last generation Touch ID (iPhone 6s and 6s Plus) offer fast and reliable unlock.||Varies widely between OEMs. Some devices are notably better than others, some are totally unusable.||Nexus 5x and 6p offer exemplary implementations via Nexus Imprint. Unfortunately, the same cannot be said about every other OEM. Fingerprint unlock in some Android 6.0 devices still works better than with other devices, and some are still unusable.|
Finally, the sheer number and variety of Android devices led to a wide variety of technologies used for scanning fingerprints. Some of these technologies can be easily fooled, allowing attackers to bypass fingerprint unlock by presenting a fingerprint image.
Bonus Chapter: Windows 10 Hello
Not everyone knows, but there is also a third mobile platform on the market. Microsoft Windows 10 Mobile supports biometric unlock, yet Microsoft decided to make something different. Lumia 950 and 950 XL received a different form of biometric unlock: the ‘Hello’ system.
Windows Hello uses a depth-sensitive camera to scan the user’s iris, which is then used as a secure fingerprint to facilitate biometric login. Just looking into the camera of a Windows 10 Mobile device (currently, Microsoft Lumia 950 and 950 XL are the only devices supporting the feature) is enough to unlock the phone (http://windows.microsoft.com/en-us/windows-10/getstarted-about-windows-hello-mobile). Similar to Apple’s implementation, activating biometric identification and performing the initial unlock (after restarting or powering on the device) must be done with a PIN code. Subsequent unlocking can be made by looking into the camera.
Since there are so few Windows 10 Mobile devices around (and even fewer high-end 950-series devices), we are not aware of any serious security research performed on this login system. Can it be spoofed by showing a high-resolution photograph? We never tried.
More on Windows 10 Hello: