SecAppDev 2019 has ended
Back To Schedule
Wednesday, February 20 • 11:00 - 12:30
The Android fingerprint subsystem

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Fingerprints sensors on Android devices provide a significant usability benefit. However, it relies on many cooperating parts which if implemented or used incorrectly puts the device user at risk.

Many smartphones and computers today contain a fingerprint sensor. Fingerprints are convenient for quick authentication and authorization decisions. But what security properties do fingerprint mechanisms provide? Moreover, are implementations of this technology actually secure?

In this session, we look at research-based data on the Android Fingerprint mechanism. We report the results of reversing and testing actual implementations from device manufacturers. We compare those against a reference model to describe the security elements that a real implementation should meet. This threat model makes a distinction between a "normal world" and a "secure world". In practice, the former corresponds to apps, and the latter to Android system processes, such as the kernel and the Trusted Execution Environment. Finally, we look at actual attacks against these systems using real-world (anonymized) examples.

This session is intended for anyone using or assessing the use of fingerprints for authentication and/or authorization.


Andrew Lee-Thorp

Principal consultant, Synopsys SIG

Wednesday February 20, 2019 11:00 - 12:30 CET
West wing (room Lemaître)