Does biometric authentication in Android transfer any biometric data to the app?



  • On my Android phone I use several apps that propose biometric authentication. If I enable it, can these applications read my fingerprint data and transfer it to the third party servers?



  • No. Biometrics never leave hardware-backed keystore (TEE). Apps use android Biometric API to authenticate the user. Biometric is verified by hardware-backed keystore which answers authentication result with success or failure to the API.

    As it's a system API, apps implicitly trust the authentication result. To ensure that it's not a fraudulent TEE verifying the biometrics, you can verify the legitimacy of hardware-backed keystore using hardware-backed key attestation.

    In app authentication usually protects apps' secrets that are stored inside TEE. Faking the API response by memory corruption will not expose the secrets as TEE doesn't release secrets until user authentication succeeds.



Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2