Mobile fingerprint sensors: more or less secure?

Vendors claim, that a fingerprint sensor in your smartphone is user-friendly and really secure. But it’s not true.

Almost all flagship smartphones have already been equipped with fashionable fingerprints scanners. Vendors claim that biometric sensors improve both user experience and security of mobile devices. But is it true?

Not exactly. For starters, these sensors are not flawless. Old capacitive scanners hardly recognize wet fingerprints, and in any case they often do not work at the first attempt. So if your hands are sweaty in summer or during workouts, your smartphone may dig its heels in and not recognize you. Scars, scratches and other skin flaws also decrease the recognition quality. Moreover, many sensors cannot distinguish a real finger from a cast — and this is a really big hole in security.

Some of these problems may be solved when Qualcomm releases the ultrasonic sensor, which uses ultrasound to scan a 3D image of your finger. It won’t be fooled by a cast of your finger. Besides, the new ultrasonic sensor works even if your finger is dirty or wet. But there are still other threats.

New technologies are always vulnerable — because they are new. It’s not enough to come up with yet another innovation – the thing is it has to be implemented in a secure way, and not all vendors are able to do that. And even if they cope with this task, they definitely won’t do it for version one. On August 2015 a new way to steal fingerprints was discovered — remotely and on a large scale.

Security experts discovered that HTC One Max and Samsung Galaxy S5 smartphones stored fingerprint images in an unencrypted, readable-by-any-app .bmp file — just as a common bitmap picture. Any software, which has access to user’s pictures and Internet, could steal them. Developers produced a patch soon after the discovery but who guarantees that they won’t make similar mistakes with new phones and OS releases?

Moreover, many smartphones have poorly protected sensors, which let malware get the pictures right from the fingerprint scanners. What’s interesting, Apple smartphones turned to be quite secure, as they encrypt fingerprint data from the scanner.

Some vendors (for example, Huawei) use ARM TrustZone technology to protect data on their devices. It works with fingerprints images in a dedicated virtual “world”, which is not accessible for the main OS. As a result, crucial data (such as fingerprints) cannot leak and be used by the third-party apps. Unfortunately, depending on implementation model, this technology can also be flawed.

When you hear that a fingerprint is not a password, and owners cannot share it with other people, forget or eventually show to others — don’t believe it. This year researchers demonstrated how easy it is to steal a fingerprint — remotely, even without a face-to-face contact. One can do it with a quality photo of victim’s fingers. An SLR camera with a good zooming lens or even a magazine photo printed in high resolution are enough. By the way, the same method can be used to fake an iris.

When your password leaks, you can change it in a few minutes, but you have to live with your fingerprints for the rest of your life. What if they are stolen? This is why you should not fully believe marketing promises of popular vendors. If you have a smartphone with a built-in fingerprint sensor, we recommend you to follow these three simple rules.

1. Despite vendors promises, don’t use your fingerprint scanner to authenticate to PayPal and other financial services. This is not safe. Now the phone is in your hands, tomorrow it’s stolen. A thief can easily copy your fingerprints right from the phone surface and use a case to buy something. Compromising passwords is harder — but only if you use them correctly.

2. Usually people choose the index finger or a thumb as their biometric login. It’s convenient, but not right, because these are the fingers we use the most when working with a phone. That’s why it’s quite possible to find an intact print of these fingers on any phone and make a fake case to break your protection — especially as there are a lot of manuals on the Internet. So it’s better to use the little and the ring fingers on the left hand for right-handers and vice versa.

3. A fingerprint scanner is not enough to protect your personal data. If you care about privacy, consider using a special app. For example, Kaspersky Internet Security for Android has built-in Anti-Theft and Personal Contacts functions. They can help you track a stolen phone, remotely wipe all data from the device or hide your text message history and contact list from a beady eye.

In general, fingerprint scanner is a great innovation, which is more useful, than harmful. But don’t rely only on it too much — use the new technology wisely and don’t neglect passwords, two-factor authentication and other security measures.