17

On my Android phone I use several apps that propose biometric authentication. If I enable it, can these applications read my fingerprint data and transfer it to the third party servers?

Vitalii
  • 687
  • 6
  • 10

2 Answers2

20

No. Biometrics never leave hardware-backed keystore (TEE). Apps use android Biometric API to authenticate the user. Biometric is verified by hardware-backed keystore which answers authentication result with success or failure to the API.

As it's a system API, apps implicitly trust the authentication result. To ensure that it's not a fraudulent TEE verifying the biometrics, you can verify the legitimacy of hardware-backed keystore using hardware-backed key attestation.

In app authentication usually protects apps' secrets that are stored inside TEE. Faking the API response by memory corruption will not expose the secrets as TEE doesn't release secrets until user authentication succeeds.

defalt
  • 6,231
  • 2
  • 22
  • 37
14

Google's fingerprint HIDL implementation guidelines for vendors states:

Raw fingerprint data or derivatives (for example, templates) must never be accessible from outside the sensor driver or TEE. If the hardware supports a TEE, hardware access must be limited to the TEE and protected by an SELinux policy.

So no, your fingerprint data should never be accessible to any apps. It is only stored and processed inside the Trusted Execution Environment, which ensures that even rooting the device should not be able to compromise the biometric data. The app will only interact with the FingerprintManager API through which it will request biometric authentication and receive a response of whether the authentication was successful or not.

nobody
  • 11,251
  • 1
  • 41
  • 60