Samsung closed the gap with Apple when it launched a touch-based fingerprint sensor in the Galaxy S6 and the Galaxy S6 edge, but a recent report claims that fingerprint sensors that are used in Android smartphones are not as secure as TouchID fingerprint sensor used in the recent iPhones.
The new research by Yulong Zhang & Tao Wei, which was presented at the Black Hat USA 2015 conference in Las Vegas earlier this week, demonstrated new ways to attack Android devices and steal fingerprints from them. This threat is confined mostly to Android devices including the ones from Samsung, HTC, and Huawei.
Out of the four attacking methods outlined by the researchers from FireEye, one in particular – fingerprint sensor spying attack – could remotely steal fingerprints on a large scale. This attack was confirmed on the Galaxy S5 as well as the HTC One Max. Apparently, smartphone makers don't fully lock down fingerprint sensors. Furthermore, sensors in some devices seem to be guarded by “system” privilege instead of “root”, making the job easier for hackers.
In this attack, victims’ fingerprint data directly fall into attacker’s hand. For the rest of the victim’s life, the attacker can keep using the fingerprint data to do other malicious things.
– Yulong Zhang
The researchers did not comment about which Android smartphone maker has better security than the others, but he mentioned that the iPhones are “pretty secure” as it encrypts the data from the fingerprint sensor. After the report was released, all the vendors have released security patches to their devices. According to the researchers, the threat isn't just related to smartphones as even some high-end laptops with fingerprint sensors could be compromised.
It was advised by the researchers that users should use frequently updated devices, install apps from reliable sources, and not to root their devices. As we reported earlier, rooting your Galaxy S6/S6 edge deprives you from using Samsung Pay, because Samsung knows that the transaction can't be kept as secure as it should be.