0

Is there a difference in terms of access or privileges with respect to fingerprint authentication in Android between system applications and user applications? In other words, how does Google Play Store differ in terms of fingerprint authentication from any other app on the play store (eg : App Lock ) ? Does it have special privileges as such?

Hells Guardian
  • 395
  • 1
  • 4
  • 16

1 Answers1

1

Android has one stop shop for Fingerprint authentication which is FingerprintManager. All apps including Google play will plug in using this API to authenticate the User. Internally, a fingerprint is never stored on the device. All Android phones use a technology called TEE (Trusted Execution Environment) to authenticate the fingerprint dynamically. FingerprintManager interacts with a system daemon fingerprintd which in turns interacts with a Fingerprint HAL. The HAL will interact with the driver to get status of fingerprint match/fail from the device.

In short, Android does not support different apps having thier own fingerprint authentications. It is centralised, so all apps including Google Play Store will also use the same mechanism.

Further reading:

http://source.android.com/security/authentication/fingerprint-hal.html

Royston Pinto
  • 6,681
  • 2
  • 28
  • 46
  • Thanks for the info. If the fingerprint is never stored, how is a particular authentication request validated without a template? – Hells Guardian Jan 17 '17 at 14:17
  • 1
    Fingerprint authentication is done using Auth Tokens. During fingerprint registration, a token is generated and stored in an encrypted manner with the keystore. During subsequent authentications, this token is regenerated and compared against the stored token. That is how the authentication happens! – Royston Pinto Jan 17 '17 at 14:29
  • Okay so is the auth token generated based on the fingerprint minutia? – Hells Guardian Jan 17 '17 at 14:46
  • [This](https://infinum.co/the-capsized-eight/android-fingerprint-security) article states under the heading TEE, "All fingerprint data must be secured within sensor hardware or trusted memory so that images of your fingerprint are inaccessible". What do you reckon? – Hells Guardian Jan 19 '17 at 10:31
  • TEE implementation is open to OEM's and vendors. TEE memory/storage is secured and cannot be accessed by Android OS. So security is maintained. – Royston Pinto Jan 19 '17 at 11:04