10

Many recent phones come with a fingerprint scanner. I use them rarely but I'm curious how do hardware and software protect user's fingerprint data from being stolen.

  1. Does a fingerprint scanner come with its own storage where fingerprints are stored?

  2. How does the fingerprint scanner decide which fingerprint requests from apps are legitimate?

  3. When you factory reset a phone, do all the fingerprints get securely wiped?

Cyker
  • 1,613
  • 11
  • 17

1 Answers1

3

Does a fingerprint scanner come with its own storage where fingerprints are stored?

No, but Android uses a Trusted environment, known as Trusty TEE. This secure enclave runs the Trusty operating system. The Trusty does not hand out the fingerprint data.

On hardware with support for a secure enclave, this OS will run on special parts of the hardware, unavailable to the rest of the OS. It communicates via a dedicated interface.

How does the fingerprint scanner decide which fingerprint requests from apps are legitimate?

It doesn't. That's left to the user. But the fingerprint scanner doesn't return raw fingerprint scan results to the OS. An app requests the Trusty OS to authenticate the fingerprint, using the relevant API. It then tells the app whatever the authentication succeeded or not.

When you factory reset a phone, do all the fingerprints get securely wiped?

I would imagine that wiping the device nukes any encryption keys, which will probably be stored within the TEE. This effectively makes the data unrecoverable, as it is unencrypted. I could however not find any sources for this.

vidarlo
  • 12,850
  • 2
  • 35
  • 47
  • Before TEE can authenticate a fingerprint, it must know what the authentic fingerprint is. This needs a write operation into the TEE realm. If TEE can't tell legitimate requests from illegitimate, how does it decide whether the request should be accepted or rejected? – Cyker Dec 22 '19 at 20:09
  • I'm not 100% sure what your concern is here, but yes, before a fingerprint can be authenticated, you need to set up this functionality by adding a fingerprint to your phone. This functionality is managed by the operating system, and not exposed to regular apps. – henrheid Dec 23 '19 at 02:09
  • @henrheid Is the OS trusted in this model? If it is trusted, why would you need TEE but not let OS manage fingerprints? If it isn't trusted, why would TEE accept a request from OS to *write* a fingerprint? – Cyker Dec 23 '19 at 10:38
  • The TEE *probably* asks the OS for the current authentication scheme, and verifies that correct pattern, pin or password is entered, before allowing enrollment. I don't know the details, and won't spend time looking it up - but that would be the obvious way of handling it. – vidarlo Dec 23 '19 at 10:47