11

I have been reading quite a bit about fingerprint sensors and their growing presence in smart phones. I understand that at the basic level, there is a digital image that gets registered and it serves as a template for authentication. I understand that fingerprint related processing takes place in a Trusted Execution Environment. However, I would like to know where the "template" gets saved and in what format?

Hells Guardian
  • 395
  • 1
  • 4
  • 16

1 Answers1

10

Trusted Execution Environment (TEE)

Google has made a noteworthy step in the right direction by moving all print data manipulation to the Trusted Execution Environment (TEE) and providing strict guidelines for fingerprint data storage that manufacturers must follow.

  • All fingerprint data manipulation is performed within TEE

  • All fingerprint data must be secured within sensor hardware or trusted memory so that images of your fingerprint are inaccessible

  • Fingerprint data can be stored on the file system only in encrypted form,
    regardless of whether the file system itself is encrypted or not

  • Removal of the user must result in removal of the user's existing fingerprint data

  • Root access must not compromise fingerprint data

enter image description here

Data Source infinum.co

W4R10CK
  • 5,502
  • 2
  • 19
  • 30
  • So that's basically Hardware-backed storage, right? Does that mean that even with root access a user won't be able to access the fingerprint data? – Hells Guardian Jan 13 '17 at 10:27
  • Yep, It is. Even with Root access, its useless. Only the creator know how to sniff the storage. – W4R10CK Jan 13 '17 at 10:36
  • 2
    So basically, your fingerprints are secured by obfuscation and some pseudo-cryptographic magic supposed to make you believe it's not only obfuscation. AFAIC, that's anything but a “noteworthy step in the right direction”. Really seems too weak to secure anything reliably. – user1527491 Jul 30 '17 at 18:51
  • 1
    If I'm reading right, they've taken pains to hide and obfuscate the data but it's still decyptable. It's not one-way encrypted like a password. I assume that's the nature of the scan image because it's never an exact match. – jiggy Dec 15 '18 at 13:04
  • @jiggy I guess everything is possible either its data hiding or data hacking. Though its kinda possible to extract/view data if you root your device and do some code changes on your custom ROM. – W4R10CK Dec 15 '18 at 13:07