Skip to main content

Pull My Finger...print

August 11, 2015

It appears yet another Android vulnerability has been identified that is worthy of mention. As you may know, a few days ago at the Black Hat conference, new methods to exfiltrate fingerprint data from Android devices were revealed.

Before you hit the panic button, it is important to note the vulnerability is limited to Android devices with fingerprint readers on them. Currently, the list is short and is comprised of devices from only a few different carriers.

How does the attack work?  A fingerprint image, from an affected device can be acquired and exfiltrated without the user knowing. This is possible as device makers failed to properly secure the sensor making it easier for attackers. Now imagine if the device is compromised (e.g. jailbroken or rooted), you’re probably at even greater risk. When the attack is executed, the fingerprint sensor can be used, without notice, to collect all fingerprint data.

It is important to note that since Google doesn’t support fingerprint readers via OS APIs for versions of Android prior to Android M, each manufacturer had to write the code to support it. As a result, there are inconsistencies with the code and security implemented.

The implications of another person having your fingerprint data would affect the rest of your life, since fingerprints aren’t as easy to change as passwords. Imagine the damage that can be done with your fingerprint; with the advent of e-payment applications and credit card information being stored on your device, it is alarming to say the least.

But, there is a bit of good news amongst all the doom and gloom; device manufacturers have released patches to fix the vulnerability. Check with your carrier and/or device manufacturer for the availability of these patches and make sure you apply them to your device(s) as soon as possible.

What can I do going forward? Best practices suggest you keep your device(s) up-to-date with the latest security patches to mitigate the risk against new threats.  At Optiv, we recommend that our clients who support mobile devices employ the use of security software to protect corporate data against known and emerging threats. 

Related Blogs

June 07, 2018

Quick Tips for Building an Effective AppSec Program – Part 3

This is the last post in my series on creating an effective AppSec program within your organization. In my last post, we discussed the importance of t...

See Details

May 10, 2018

Observations on Smoke Tests – Part 3

While attending one of our technology partner’s security training courses, the instructor presented on their product’s various features and capabiliti...

See Details

May 03, 2018

Getting Started with Postman for API Security Testing: Part 1

Postman is a useful tool used by many developers to document, test and interact with Application Programming Interfaces (APIs). With the ubiquity of A...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.

Privacy Policy

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.


Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cyber security Events in your area.