Google restricts third-party apps from distinguishing between different fingerprints in Android 6.0

0
267

Google has updated their Android Compatibility Definition document which lays out some ground rules for OEMs who include certain security-sensitive hardware and software features. One of those items is the fingerprint scanner, which finally gets official support in Android as of Android 6.0 Marshmallow.

Samsung-Galaxy-Note-5-fingerprint

The document touches on all the usual things, such as requiring OEMs to use Android’s new dedicated fingerprint scanner APIs, dictating the level of accuracy and checks needed to verify fingerprints, and more. But one interesting little tidbit — bolded on the list below — stood out:

7.3.10. Fingerprint Sensor
Device implementations with a secure lock screen SHOULD include a fingerprint sensor. If a device implementation includes a fingerprint sensor and has a corresponding API for third-party developers, it:

  • MUST declare support for the android.hardware.fingerprint feature.
  • MUST fully implement the corresponding API as described in the Android SDK documentation [Resources, 95].
  • MUST have a false acceptance rate not higher than 0.002%.
  • Is STRONGLY RECOMMENDED to have a false rejection rate not higher than 10%, and a latency from when the fingerprint sensor is touched until the screen is unlocked below 1 second, for 1 enrolled finger.
  • MUST rate limit attempts for at least 30 seconds after 5 false trials for fingerprint verification.
  • MUST have a hardware-backed keystore implementation, and perform the fingerprint matching in a Trusted Execution Environment (TEE) or on a chip with a secure channel to the TEE.
  • MUST have all identifiable fingerprint data encrypted and cryptographically authenticated such that they cannot be acquired, read or altered outside of the Trusted Execution Environment (TEE) as documented in the implementation guidelines on the Android Open Source Project site [Resources, 96].
  • MUST prevent adding a fingerprint without first establishing a chain of trust by having the user confirm existing or add a new device credential (PIN/pattern/password) using the TEE as implemented in the Android Open Source project.
  • MUST NOT enable 3rd-party applications to distinguish between individual fingerprints.
  • MUST honor the DevicePolicyManager.KEYGUARD_DISABLE_FINGERPRINT flag.
  • MUST, when upgraded from a version earlier than Android 6.0, have the fingerprint data securely migrated to meet the above requirements or removed.
  • SHOULD use the Android Fingerprint icon provided in the Android Open Source Project.

Why is that important? Well, it means it won’t be possible for third-party apps to do cool stuff. Consider something like Tasker — what if there was a plugin that lets you launch an app or do specific actions when using a specific finger? I could automatically open my bank app with my right index finger, and save my left middle finger for Twitter, for instance. That’d be cool.

But Google won’t allow it. There may be a heap of good reasons not to — perhaps there are potential security issues which they haven’t yet figured out or were unable to implement in this initial API — but it’s disappointing nonetheless.

That said, depending on their definition of “3rd party apps,” OEMs may still be able to add these features themselves. We’ll have to see if any of the upcoming smartphones with a fingerprint scanner and Android 6.0 Marshmallow will look to implement anything interesting. Otherwise, look for it to be a simple authentication method and little more for the foreseeable future.