Stopping Android Biometrics Vulnerabilities

Research unveiled at Black Hat 2015 showed us how hackers can attack Android phones to steal users’ fingerprints. The increasing availability of fingerprint scanners on mobile devices makes the security of this data worrisome. To secure biometrics on mobile devices, we recently released our biometric tokenization platform to augment these convenient authentication systems with strong cryptographic security. You can find more information on our biometric authentication platform and watch a demonstration of the HYPR SDK for an even closer look.

Here are the security concerns we identify with the FireEye Labs researchers who helped reveal them at Black Hat:

● A recent report from Market Research estimated that by 2019, more than half of smartphones will include a fingerprint sensor.
● Most device manufacturers fail to use available protection to safeguard users’ most sensitive biometric data in the Android Trust Zone, an environment that is safely isolated from the operating system.
● Hackers have found a means to steal victims’ fingerprint data due to fingerprints being stored as an image file in an open, world readable, folder.

To ensure biometric security, we at HYPR advise:

● Leveraging biometric tokenization to enable the safe transmission of a fingerprint image, or template, to the cloud using trusted public key cryptography.
● Storing fingerprints as a mathematical representation in a trusted environment, a location separate from a device’s operating system.
o As of late, key players, such as biometric sensor suppliers and mobile device manufacturers, have been behind this approach.
● Deploying secure processors that are specifically designed for the storage of sensitive data, such as biometrics.

By utilizing state of the art biometric encryption protocols, relying parties can validate signatures in various ways while meeting the four guiding principles of biometric tokenization.

Biometrics provide a much-needed solution to the problem of insecure passwords, but these features are not a panacea. As we have seen, when executed poorly, biometric authentication can put sensitive data at risk. That is why enterprises must ensure they have implemented a robust, multifaceted security solution that ensures biometric signatures and user data is stored safely and isn’t transmitted across the Internet. This is where biometric tokenization comes into play.