On Privacy and Security of Smartphone Biometrics


Fingerprint overlaid on a microprocessor.

Every smartphone in the wild these days come equipped with face detection capability coupled with a fingerprint sensor. But how far do you think you can secure your device with biometrics? Would you trust a company with your fingerprints and facial scan data?

Biometrics and privacy

On computers, there are many critical stuff that requires secure and isolated storage where no one—not even the user or manufacturer—has access to. Cryptographic processes—the encryption and decryption—are one such critical component that needs physical isolation from the main processor and memory.

For such processes, a computer usually has a dedicated processor on the motherboard called as the Trusted Platform Module. The TPM is isolated from the main processor with its own memory, OS, and an API. This is where all critical cryptographic processes take place—with a practically impenetrable hardware security layer for the keys.

In a similar fashion, smartphones have a specific environment in the processor for handling sensitive data executions like content protection (DRM) and biometric data processing. This isolated space is called the Trusted Execution Environment.

The TEE provides an isolated environment that encrypts your fingerprint and other biometrics that your device supports, hardware-level isolation for the encrypted data, tamper protection, and safety measures against reverse engineering.

So when you set up your fingerprint or capture your facial data for the first time, the data gets encrypted and stored in the TEE. And the rest of the applications are only limited to a true or false response from the TEE API and not the actual decrypted biometric template.

🥜 Nutshell
In a nutshell, your biometric data on your smartphone is stored locally inside a special hardware where the data is encrypted and isolated from the outside world. At the time of this writing, it’s practically impossible to gain access to your smartphone biometrics. Be it Apple or any other Android smartphone manufacturers (as long as they are compliant with Google’s security terms), they don’t have access to your biometrics.

Biometrics and security

Passwords can be changed as many times as you want. You can’t do that to your fingerprints, can you? Duh! So yes, you are technically walking around slapping your password everywhere for the world to take.

With a motivated criminal mastermind on the loose, you could have your device stolen, fingerprints lifted off that glass window where you window-shopped, and had a latex glove made with your prints on it that would have already unlocked your phone several times.

Fingerprints are just your identity. The stuff you use to authenticate yourself to your smartphone. An extra layer of a password is what gives that security element for your device. Now that you know this better. Stay secure with passwords. And don’t forget to take care of the webcams and microphones.

This post was first published on September 28, 2013.


Karthikeyan KC

Aeronautical engineer, dev, science fiction author, gamer, and an explorer. I am the creator of Geekswipe. I love writing about physics, aerospace, astronomy, and python. I created Swyde. Currently working on Arclind Mindspace.

Leave a Reply

Your email address will not be published. Required fields are marked *

1 Response

  1. January 16, 2019

    […] system or if allowed by privacy laws, user biometrics. And this is how you exactly need to use biometrics—to authenticate your identity and not as a damn […]