Based on materials from androidcentral.com
The market launch of iPhone without a fingerprint sensor has sparked discussions about how fingerprints are used for authentication and how secure the data is. And this is good. Even if you have not thought about how this all happens, it is better for you to be sure that someone is taking care of it so that you do not have to worry about security.
For those who don't know, Apple uses a similar solution, so if you have an earlier model with a fingerprint sensor, everything remains as safe for you as before. It's the same with older Samsung models that were released on versions Android prior to Marshmallow, which use Samsung's own methods.
The way Google stores your fingerprints is as secure as the current state of technology allows. And if we look at the whole picture as a whole, we will be surprised at how simple it is. And simplicity and security are always a winning combination.
The data warehouse itself is not secure by its very nature. It’s like writing something on a piece of paper and putting it in a drawer on your desk. The leaf is there because it should be there, and the best thing you can do is keep track of who has access to the box. In the case of a desk, the drawer can be locked with a key. In the case of a phone, use data encryption. Things get more complicated for your fingerprint data: here we are dealing with a Trusted Execution Environment (TEE).
In order to maintain it, Google uses what they call Trusty TEE. A very small and efficient operating system, appropriately called Trusty OS, uses the TEE hardware capabilities and kernel drivers that allow it to interact with the system as a whole. There are libraries Android (as you might have guessed, the Trusty API) for developers so they can decide how many yes / no answers are possible in TEE. TEE stores more than just fingerprint information. Things like the manufacturer's DRM keys and bootloader live here, and they work the same way as your fingerprint data – they determine which data provided by the app matches the correct data stored here.
Other manufacturers can use Trusty OS, or they can use a different system. When all of the criteria below are met and the TEE is isolated, the security standards required to use Pixel Imprint (formerly Nexus Imprint) are met.
ARM TrustZone TEE Block Diagram
When you enroll a fingerprint on your Android smartphone, the sensor receives information from the scanner. Trusty OS analyzes this data inside TEE and creates two things: a validation dataset and an encrypted fingerprint template. This is information that has no value for anything other than TEE, where there is a key to decrypt it. This encrypted fingerprint template is stored in an encrypted container in the TEE or an encrypted storage section in your machine. Three levels of encryption mean that it is nearly impossible to get this information, and if it did, it is useless without decryption.
Verification data is stored internally by TEE. When you touch the scanner with your finger and try to perform an action, the scanner creates a data profile. Through the Trusty API, the associated application asks the kernel to ask TEE if the data is correct. TEE verifies them with stored verification data using a separate processor and memory, and if enough data matches, says yes. If there is not enough matching data, it says 'no' accordingly. This negative or positive response is sent back to the kernel as a software token that the API can read to see the result.
Since TEE itself uses an independent operating system and hardware for security purposes, software encryption is used to protect the fingerprint template. It must be marked with a very special key in order to be considered suitable. The key is generated based on device-specific, user-specific and time-specific information. In other words, if the user is different, the device changes, or an attempt is made to re-register the fingerprint (the system may say that you are overwriting an existing fingerprint), the key is no longer recognized and cannot be used to decrypt the fingerprint template.
Here are the basic rules that any company that manufactures phones on Android with a fingerprint sensor should follow:
- All analysis of fingerprint data must be done internally by the TEE;
- All information related to fingerprints must be stored inside the TEE or in trusted memory (memory that the main processor does not even see);
- The fingerprint profile information must be encrypted separately, even if it is stored in the encrypted memory area of the phone;
- Deleting a user's account should include the secure erasure of all data associated with their fingerprints;
- Where the fingerprint profiles are stored should not be visible to any application, process, or user, including the root user;
- No fingerprint data should be backed up to any location, including cloud storage on your computer or any application;
- Fingerprint authentication should only be used by the process that requests it (no way to share the fingerprint data, even if you just want to know if the answer was yes or no).
When you have a few standard conditions that are crystal clear, it’s easy to follow. And therefore, it gives confidence that no matter what smartphone you use for Android, your fingerprint data is stored absolutely securely and no outside system process or application has access to it. As encryption develops, and especially hardware encryption, so will this method of securing your fingerprint data. Anyway, when we get to Android Z, it will be interesting to look back and see the way we have gone.