You’re concerned about security, so when your Android smartphone gives you the option of scanning your fingerprint to unlock the device, open certain apps, or authorise a money transfer, you turn it on.
Well, maybe you shouldn’t if you’re the owner of an HTC One Max Android phone. Because security researchers have revealed that the so-called smartphone stores an image of users’ fingerprints without a seeming care in the world about security:
“The fingerprint is saved as /data/dbgraw.bmp with ‘0666’ permission (world-readable). Any unprivileged processes or apps can steal users fingerprints by reading this file.”
It would be bad enough that the file containing the fingerprint image is so easy to access, rather than stored in a more secure part of the system, but it is also – get this – unencrypted too. Sigh…
What’s more, any malicious app running on your HTC One Mac Android phone could also be scooping up your fingerprint each and every time you use it:
“To make the situation even worse, each time the fingerprint sensor is used for auth operation, the auth framework will refresh that fingerprint bitmap to reflect the latest wiped finger. So the attacker can sit in the background and collect the fingerprint image of every swipe of the victim.”
It’s a shame that the promotional video for the HTC Max One doesn’t mention this particular undocumented feature of the fingerprint scan:
Still happy that you enabled fingerprint scanning in that app you use to transfer money from your bank account?
The research – by Yulong Zhang, Zhaofeng Chen, Hui Xue, and’Tao’Wei of FireEye Labs – was presented at the BlackHat conference last week. You can read the full report here.
If we can’t trust the manufacturers of the computers that we put in our pockets and carry around with us all day, every day, to take security more seriously than this – what on earth are the chances that the internet of things will ever be safe?
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.