One of the big features Android 6.0 Marshmallow brings to the table is an official Android fingerprint API. The new Nexus 5X and 6P smartphones which will be available this month will be the first devices to include Nexus Imprint, Google’s name for the fingerprint scanner, which will use this API. How secure is Nexus Imprint and how does it work?
It’s a fair question, and a very important one, because unlike passwords which can be changed when they are leaked or stolen, you can’t just change your fingerprint.
I was impressed with Apple’s implementation of Touch ID when it came out on the iPhone 5S two years ago. Several Android manufacturers have since come up with their own fingerprint readers, but I worry about how securely the system has been implemented. Furthermore, this is something that needs to be properly baked into the platform, not something you slap on. It doesn’t help much that the hardware manufacturers haven’t shared much about the inner workings of their fingerprint security.
With Android Marshmallow, Nexus Imprint is used to unlock devices. Apps can also request fingerprint verification before authorising an app action. For example, Android Pay may request fingerprint verification to ascertain that you are authorising a payment.
I’m keen to know how Android Marshmallow and Nexus Imprint handle fingerprints. Now, I’ve not actually dived into any code or dissected any hardware. Everything I’m sharing in this post is based on information published online, mostly from Google’s own webpages like this one on Fingerprint security on Nexus devices.
Android’s fingerprint security basically comes down to just this:
Your fingerprint data is stored securely on the device, and never leaves the device. It is never shared and never backed up.
If you don’t want or don’t need to know the details, then you can just stop at that. But we, or at least I hope you do since you’re reading this post, want to know more.
Let’s first talk about how the data is stored.
- Capturing and recognising your fingerprint happens in a secure part of the device hardware known as a Trusted Execution Environment.
- Images of your fingerprint are inaccessible outside of the sensor hardware or trusted memory.
- Only the encrypted form of fingerprint data is stored in the device storage, even if that storage is already itself encrypted.
- Processed versions of the raw fingerprint images are cryptographically protected so that they are unreadable except on the same device for the user who enrolled them.
- Fingerprint data is removed from the device when your account is removed.
- Rooting a device will not compromise the fingerprint data.
To some extent, this reads a little like how Apple has made Touch ID. A crucial component is with secure isolated hardware that provides protection against malware.
Your fingerprint data does not leave the device, so Google doesn’t have a copy of it, and there are no backups of it anywhere on the cloud.
Your fingerprint data is also not shared with any apps. Apps can only be told, if they request, whether your fingerprint checks out or not. The apps don’t have access to fingerprint data or sensor hardware.
Does Nexus Imprint make your device more secure? No. Oh wait, perhaps this may catch you by surprise. But no, whenever you add an alternative security measure, you are at best only as good as you are before. Fingerprint unlocking, for example, will not replace PIN, password, or pattern security for unlocking your phone. It will simply be an alternative.
Remind yourself that Nexus Imprint is a convenient way to protect your device; it is not necessarily a more secure way of protecting your device. Furthermore, consider that since you leave fingerprints on many things that you touch, including the device itself which you want to protect, it may not be difficult for a criminal to obtain a physical copy of your fingerprint to use to unlock your phone.
The conventional unlock methods are still important, and you will still need them. You will still be asked for your PIN, password, or pattern:
- If your fingerprint fails to verify after a few tries
- After restarting your device
- After switching to a different user on the device
- After more than 48 hours have passed since the last unlocked using a conventional unlock method.
With Nexus Imprint, Android devices finally get up to speed with device fingerprint security, and based on what Google has shared, it seems reassuring that our fingerprint data is handled the right way. However, we’ll still need to peek under the hood to determine if this is legit security.
Nice analysis of the Nexus fingerprint implementation. I do wonder if the physical difference in Touch ID’s capactitive-based scanner versus the Imprint’s ultrasonic-based one provides a meaningful differentiation in spoofing mitigation. From what I’ve seen so far, Touch ID can still fall to a wood glue spoof. Has anyone done similar tests on the Imprint? Furthermore, doesn’t the fact that the Imprint uses ultrasound mean that it could potentially incorporate liveness testing by measuring blood flow over time (Doppler shift), thereby making it even less prone to false positives? Ultimately, I’d like to see an option to enable fingerprint authentication in addition to a reasonably complex password, not in lieu of one. Fingerprints should be considered a user name, not a sole authentication factor. Combine this with the fact that fingerprints can be much more easily coerced than a strong passphrase in your head.