Fingerprint

fingerprint research Document

Glen,
As already discussed on call previous regarding Fingerprint functionality I've outlined detailed information which cover implementation for different vendors and google.

Every vendor had it's own Fingerprint implementation before Android Marshmallow (6.0) was launched. Samsung was the first vendor which brought Fingerprint feature on their Android devices. They also provided SDK for 3rd Party Developer.

###Samsung SDK [(Pass)](http://developer.samsung.com/galaxy/pass)

Pass SDK allows us to use fingerprint recognition features in our application. With Pass SDK, we can provide reinforced security, by identifying whether the current user is the actual owner of the device.

All those Samsung device which has fingerprint sensor and Android version is lower then marshmallow uses Pass SDK. However Samsung S5, Note 5 uses Pass SDK as they did not follow the rules of Google's Marshmallow Compatibility Definition Document (CDD). Hence they can't use Google's Native Fingerprint API

###Google's Nexus Imprint:
Every vendor had their unique approach to security and implementation of the process and, most importantly, to how the user's private data is stored.

After the launch of Marshmallow came the long awaited native support for fingerprint authentication via a standard API. First made available on the Nexus 5X and Nexus 6P, Google introduced the fast and secure Nexus Imprint fingerprint sensor which also brought along the first implementation of the Android 6.0 Marshmallow fingerprint sensor API. Fingerprints are recognized in less than 600 milliseconds, providing fast and comfortable user experience.

Android uses the Fingerprint Hardware Abstraction Layer [(HAL)](https://source.android.com/security/authentication/fingerprint-hal.html) to connect to a vendor-specific library and fingerprint hardware, e.g. a fingerprint sensor [(more info)](https://source.android.com/security/keystore/index.html). 

###Fingerprint storage security
Most storage strategies on Android are insecure, especially when you consider the possibility of root access. But Google has made a noteworthy step in the right direction by moving all print data manipulation to the [Trusted Execution Environment (TEE)](https://en.wikipedia.org/wiki/Trusted_execution_environment) and providing strict guidelines for fingerprint data storage that manufacturers must follow.

###About TEE
TEE is a secure area of the smartphone's main processor. It guarantees **confidentiality** and **integrity** of the code and data loaded inside. This separation enables security and protection from hacks, malware and root access.

![enter image description here](https://photos.infinum.co/store/d6a126ecd941035c2514ed8febe43604)

 - All fingerprint data manipulation is performed within TEE
 - All fingerprint data must be secured within sensor hardware or trusted memory so that images of your fingerprint are inaccessible
 - Fingerprint data can be stored on the file system only in encrypted form, regardless of whether the file system itself is encrypted or not
 - Removal of the user must result in removal of the user's existing fingerprint data
 - Root access must not compromise fingerprint data

###Fingerprint templates
Fingerprint templates are the processed versions of raw fingerprint data. In order to comply with guidelines they must be cryptographically authenticated. This means they have to be signed with a private, device-specific key and enough additional data (an absolute filesystem path, finger ID and group) that will unequivocally define their binding relationship. As a result, these templates are rendered useless if copied to another device or another user tries to use them.

Finally, fingerprint data is not backed up to the user's computer or Google's servers. It is not synced, shared or used by any other app on your device nor does it ever leave your device. The only information apps receive is whether a fingerprint has been verified or not. This also means the user has to set up fingerprint authentication on each new device.

###Google Marshmallow Compatibility Definition

The rules come from [Google's Marshmallow Compatibility Definition Document (CDD)](https://static.googleusercontent.com/media/source.android.com/en//compatibility/6.0/android-6.0-cdd.pdf). While fingerprint sensors are not required **(i.e. MUST)**, Google encourages OEMs to include them **(SHOULD)**. Here's the relevant text from the CDD.

**7.3.10. Fingerprint Sensor**
Device implementations with a secure lock screen SHOULD include a fingerprint sensor. If a device implementation includes a fingerprint sensor and has a corresponding API for third-party developers, it:

 - MUST declare support for the android.hardware.fingerprint feature.
 - MUST fully implement the corresponding API as described in the Android SDK documentation [Resources, 95].
 - MUST have a false acceptance rate not higher than 0.002%.
 - Is STRONGLY RECOMMENDED to have a false rejection rate not higher than 10%, and a latency from when the fingerprint sensor is touched until the screen is unlocked below 1 second, for 1 enrolled finger.
 - MUST rate limit attempts for at least 30 seconds after 5 false trials for fingerprint verification.
 - MUST have a hardware-backed keystore implementation, and perform the fingerprint matching in a Trusted Execution Environment (TEE) or on a chip with a secure channel to the TEE.
 - MUST have all identifiable fingerprint data encrypted and cryptographically authenticated such that they cannot be acquired, read or altered outside of the Trusted Execution Environment (TEE) as documented in the implementation guidelines on the Android Open Source Project site [Resources, 96].
 - MUST prevent adding a fingerprint without first establishing a chain of trust by having the user confirm existing or add a new device credential (PIN/pattern/password) using the TEE as implemented in the Android Open Source project.
 - MUST NOT enable 3rd-party applications to distinguish between individual fingerprints.
 - MUST honor the DevicePolicyManager.KEYGUARD_DISABLE_FINGERPRINT flag.
 - MUST, when upgraded from a version earlier than Android 6.0, have the fingerprint data securely migrated to meet the above requirements or removed.
 - SHOULD use the Android Fingerprint icon provided in the Android Open Source Project.

Link: 
https://source.android.com/compatibility/cdd.html

These are basically the rules for all vendors if they want to build a phone with support for Marshmallow's version of fingerprint sensor support. they have to follow all the API guidelines to make sure data is kept secure. There are both hardware and software requirements that OEMs have to follow in order to use Google's system and have support for all the apps that will use the standard Android APIs.

###Conclusion

As we can see, Google sets both hardware and software requirements for OEMs to follow. In our view, the most important points are:

 - OEM’s must adhere to the new Android fingerprint API in full. Lousy implementations (as in Samsung Galaxy S5) are not allowed.
 - Fingerprint data must be stored and authenticated inside of the Trusted Execution Environment.
 - There must be a delay of at least 30 seconds between subsequent attempts after 5 unsuccessful trials.
 - Adding or altering fingerprints must be preceded with PIN/pattern/password authentication.
 - Most importantly, ALL devices equipped with fingerprint readers that are upgrading to Android 6.0 from MUST adhere to the new guidelines completely.


So, at least in theory, Android 6.0 smartphones should have a pretty straightforward implementation of fingerprint unlock. However, If OEM's does not follow these rules, the only way to support fingerprint for that device is to use OEM's provided SDK as a fallback strategy.