Graduate School and Research Center in Digital Sciences

Broken fingers: On the usage of the fingerprint API in Android

Bianchi, Antonio; Fratantonio, Yanick; Machiry, Aravind; Kruegel, Christopher; Vigna, Giovanni; Chung, Pak; Lee, Wenke

NDSS 2018, SOC Network and Distributed System Security Symposium, February, 18-21, 2018, San Diego, CA, USA

Smartphones are increasingly used for very important tasks such as mobile payments. Correspondingly, new technologies are emerging to provide better security on smartphones. One of the most recent and most interesting is the ability to recognize fingerprints, which enables mobile apps to use biometric-based authentication and authorization to protect security-sensitive operations. In this paper, we present the first systematic analysis of the fingerprint API in Android, and we show that this API is not well understood and often misused by app developers. To make things worse, there is currently confusion about which threat model the fingerprint API should be resilient against. For example, although there is no official reference, we argue that the fingerprint API is designed to protect from attackers that can completely compromise the untrusted OS. After introducing several relevant threat models, we identify common API usage patterns and show how inappropriate choices can make apps vulnerable to multiple attacks. We then design and implement a new static analysis tool to automatically analyze the usage of the fingerprint API in Android apps. Using this tool, we perform the first systematic study on how the fingerprint API is used. The results are worrisome: Our tool indicates that 53.69% of the analyzed apps do not use any cryptographic check to ensure that the user actually touched the fingerprint sensor. Depending on the specific use case scenario of a given app, it is not always possible to make use of cryptographic checks. However, a manual investigation on a subset of these apps revealed that 80% of them could have done so, preventing multiple attacks. Furthermore, the tool indicates that only the 1.80% of the analyzed apps use this API in the most secure way possible, while many others, including extremely popular apps such as Google Play Store and Square Cash, use it in weaker ways. To make things worse, we find issues and inconsistencies even in the samples provided by the official Google documentation. We end this work by suggesting various improvements to the fingerprint API to prevent some of these problematic attacks. 

Document Bibtex

Title:Broken fingers: On the usage of the fingerprint API in Android
Type:Conference
Language:English
City:San Diego
Country:UNITED STATES
Date:
Department:Digital Security
Eurecom ref:5396
Copyright: © ISOC. Personal use of this material is permitted. The definitive version of this paper was published in NDSS 2018, SOC Network and Distributed System Security Symposium, February, 18-21, 2018, San Diego, CA, USA and is available at :
Bibtex: @inproceedings{EURECOM+5396, year = {2018}, title = {{B}roken fingers: {O}n the usage of the fingerprint {API} in {A}ndroid}, author = {{B}ianchi, {A}ntonio and {F}ratantonio, {Y}anick and {M}achiry, {A}ravind and {K}ruegel, {C}hristopher and {V}igna, {G}iovanni and {C}hung, {P}ak and {L}ee, {W}enke}, booktitle = {{NDSS} 2018, {SOC} {N}etwork and {D}istributed {S}ystem {S}ecurity {S}ymposium, {F}ebruary, 18-21, 2018, {S}an {D}iego, {CA}, {USA} }, address = {{S}an {D}iego, {UNITED} {STATES}}, month = {02}, url = {http://www.eurecom.fr/publication/5396} }
See also: