How Secure Is Your Phone’s Lock?
It’s been 10 years since the first modern smartphone. Back then, many of them weren’t protected by default—you only needed to swipe to unlock them. Today, all phones prompt you to add some sort of passcode, and for added convenience, they use some form of biometric authentication as well. This is all intended to keep your phone yours, but how well do these methods fare against each other, and how much are you helping your phone to keep your stuff secure?
Biometrics
Most phones today can read your thumbprint or your face to let you in. These methods embody a future without passwords—we are the passwords instead. While biometrics can look cool and are definitely faster than typing a passcode, some of these methods are more easily fooled than others. Let’s take a look at what the most popular manufacturers are doing.
Samsung Facial Recognition
Samsung’s Galaxy S8 flagship phone included a method of facial recognition. In short, it is not secure. One reporter fooled it by just showing it a photo on another phone. This happened in the demo area after the original introduction event. Ouch.
The S8 also brought on a second method of biometric authentication: iris scanning. Samsung claimed that it was “one of the safest ways to keep your phone locked”. Soon after, researchers fooled it using a printed photo with some contact lenses stuck on. So much for safety.
The Samsung Galaxy S9 includes a “new” biometric unlock feature called “Intelligent Scan”. It combines facial and iris recognition into the same process. In short, it’s not any safer. A researcher said it’s “just a new release of the same system” (compared to the S8), and even Samsung trusts it so little that they won’t let you use it for payments.
Fingerprint Recognition
Popularized by the iPhone 5s in 2013, most mid-to-high end smartphones today have fingerprint sensors. We may think that our fingerprint is unique, but Apple says that “the chance of a false match in the iPhone’s fingerprint system [is] 1 in 50,000”. This is because these sensors are tiny, and only register a small part of your fingerprint.
Still, compared to traditional facial recognition, fingerprints are much more secure. To fool a fingerprint scanner, you’d need to lift a fingerprint off of some surface touched by the target (even a photo of a fingerprint could be enough), and then make a latex/rubber model out of it. Not impossible, but still highly involved. If you’re not being hunted by some highly resourceful and involved people, you’re probably fine.
Things are different between Android and iPhone, however. In short, while there’s no way to access fingerprint data on a Touch ID-enabled iPhone, on an Android device, it depends.
Touch ID on the iPhone uses two pieces of hardware in tandem: the fingerprint sensor, and the Secure Enclave. An iPhone’s fingerprint sensor exclusively communicates with its corresponding Secure Enclave—they are, in fact, paired “at birth”, which is why you can’t replace an iPhone’s home button without losing Touch ID functionality—the new part is assumed to be compromised, and therefore, won’t be allowed to work fully. Fingerprint data is stored on the Secure Enclave, which is a separate chip that runs its own encrypted software and is isolated from the main processor. Touch ID authentication, in broad terms, goes a bit like this: the main system requests authentication, showing the user a Touch ID prompt and telling the sensor to be ready. The user then touches the sensor, and the Secure Enclave tells the system whether the print is a match or not. That’s it. The main application processor and operating system are not involved in fingerprint validation—that data is physically off-limits to any kind of software that runs on the phone. The only way to access it would be de-soldering the chip from the main board and reading it on a special machine, and even then, its contents are fully encrypted.
Similarly, current Android phones store fingerprint data in a special part of the system called the Trusted Execution Environment, or TEE. Some implementations of the TEE exist in a chip that is physically separate from the main processor, but some run right alongside the main processes in a virtualized (read: contained) environment. The TEE has its own separate and encrypted operating system—Google’s version is called Trusty OS. This seems pretty secure, right? Well, in theory it is, but there are ways to implement the TEE specification that would make it weaker than Touch ID, and there’s no way to tell if one vendor’s implementation is as safer than the others. In addition, Android devices can be easily “rooted”, which is a process that allows for total control over the operating system, enabling someone to potentially bypass any authentication request.
But the real problem lies with older Android phones. There are documented hacks that would allow malicious actors to extract fingerprint data from a 2015 Android phone, and remotely, even—yes, over the internet. Android phones are known for barely getting software updates, if ever, so you should at least steer clear from devices that were released with software versions lower than Android 6.0 (from 2015) if you need a trustworthy device. As of this writing, 38.6% of Android’s over 2 billion active devices are running a version older than 6.0, and many more originally shipped with older versions that had lower security standards and carried them over.
Face ID
While at a glance, Face ID seems similar to other face unlocking mechanisms, in reality, it’s a completely different beast. The iPhone X has what Apple calls the TrueDepth camera system which includes: an infrared camera, a tiny infrared projector that emits over 30,000 invisible dots to map the geometry of your face, an infrared flood illuminator that improves accuracy in the dark, and a high-resolution standard camera.
Face ID gathers many more data points than Touch ID, making it very precise. It’s so precise that the possibility of a false positive (of someone random unlocking your device with their face) is 1 in 1,000,000, making it 20 times more secure than Touch ID. (The chance of a false positive increases with direct relatives, especially twins.) The system keeps learning about your face the more you use it—so it gets faster and safer over time—, adapts to changes in your face (such as beards) and accounts for accessories (such as sunglasses). The storage and validation of Face ID data is the same as with Touch ID: it uses the Secure Enclave mechanism, meaning the phone’s software can’t read your face authentication data.
There is no equivalent for Face ID on Android yet, and analysts predict it will take years for other companies to come up with face authentication that’s at least as secure as Apple’s system.
This post is part of a series on phone security. See also: How Secure is Your Chat App? and How Secure Is Your Phone’s Software?
