Smartphone security -Fingerprint Authentication

Recently, Biometrics has been gaining widespread popularity in the world. Initially, it was mainly used in applications related to law enforcement, security control, and even forensic departments. But by the changes in technology and the enhancement of devices, it is becoming an mandatory part of our everyday lives. In fact, it is playing an important part in making the personal identification process easier than ever before. For example, in smartphones, fingerprint sensors are used for user authentication.

Governments have been implementing it for a variety of applications, such as civil identification, national ID and passport, etc. This has been influencing other institutions and organizations to confidently implement this Biometric technology for their needs.

In order to make personal identification of citizens easier, a number of nations, these days, are implementing fingerprint authentication technology for primary identification. Across a number of sectors, including private domain, we can find that businesses are implementing biometrics and replacing their existing and outdated techniques. This is mainly applicable for employee attendance, KYC processes, customer identification, and so on. Mainly for these purposes, fingerprint authentication is widely used now. With this, there is no need to set up other hardware for a different group of people as done manually. In the manual process, there is no need to keep a separate register and visitor’s book.

Table of Contents

  • Smartphones Fingerprint Sensors
  • SDK and API
  • SDK and API Fingerprint Integration

Smartphones Fingerprint Sensors

One of the latest trends in the world of technology is the integration of fingerprint sensors on smartphones. This can be used for authentication and user identification mainly. We can see that this trend is increasing with the launch of the Apple iPhone. But there are other phones that were launched with fingerprint authentication.

Toshiba company was the first to come up with a phone that had a fingerprint sensor. Though this device from Toshiba did not gain high popularity because it was just a beginning of mobile biometrics. Over the years, various other brands implemented fingerprint authentication – with Motorola launching Atrix, which was the first Android phone to come with a rear-mounted fingerprint sensor.

Motorola Atrix came to be launched with Android’s 2.2 version or otherwise called Froyo, but did not provide native support for the fingerprint sensors. However, it did not get much recognition as expected. The launch of the iPhone made it quite clear that innovative ideas would not become popular unless these happened to be implemented via the iPhone.

Apple came up with a tailor-made hardware and software solution that boosted the fingerprint recognition process. This came to be known as Touch ID. This helped users to unlock the iPhone. All they had to do was scan their fingerprints and validate purchases that were being made across Apple’s digital media stores, including Apple Store, iBook Store, and iTunes. This made it imperative for manufacturers to implement fingerprint authentication sensors on their smartphones to do business and sales.

Later, we witnessed the introduction of the Galaxy S5, which came with fingerprint authentication. Another was Google’s Marshmallow, which was released in October 2015, which offered traditional support to integrate fingerprint sensors.

Though these fingerprint sensors were initially restricted to flagship devices only, later these scanners became a trend across mobile devices as well. This is when manufacturers decided to introduce biometric hardware across both low-end and mid-end smartphones. The actual power of fingerprint sensors is utilized by third-party app makers, who integrate it for authentication purposes within their apps.

However, in the initial days, neither iOS nor Android provided third-party apps with access to fingerprint authentication on hardware and data. Although as technical enhancements and improvements in biometric data security, OS makers gave provision to third-party apps to access and make use of the feature.

Then, Apple gave third-party app developers a chance to integrate touch ID authentication within their app with the introduction of iOS 8. Apple manufactures both hardware as well as software of the iPhone. This makes it simple to take care of the security side of their phones. But Google offers a different approach when it comes to Android – it is an open-source project and can be implemented by a variety of manufacturers as they need. This is where manufacturers tailor makes the OS and implement it with a number of apps and features besides the core OS.

With Android, it is possible for manufacturers to create their own APIs in case they are trying to integrate fingerprint scanners within devices or when using the generic API for Android.

SDK and API

Almost always we happen to come across terms such as software development kit (SDK) and application programming interface (API). In order to allow third-party apps to access a service, APIs had to be released, which would help third-party apps to engage with the fingerprint service. With this kind of an integration placed on a single device, such as a PC or any device, it became possible to send request across the internet to remotely located software.

Now, APIs can be introduced using the SDK, which is provided by the service providers, making it easier for external apps to gain access to the services offered by it. A variety of technology companies own a number of software and services, some of which are developed in-house, while others developed by external service providers. The main intent of the tech firms is to make the services popular and make these available to a number of external apps.

Some of these services are either free, paid or premium. When availing free services, the service providers get an opportunity to examine the service and ensure that a number of developers can be engaged to develop apps that influence their systems.

The fact is that it is challenging for anyone to start writing from the beginning. The latest apps come with a range of functionalities, which cannot be coded or set up from scratch. An API is a standard or specification that is meant to be used as an interface mainly by software elements for communicating amongst them. APIs come with standards that can be used for data structures, variables, object classes, and routines – some of these APIs might be language dependent or language independent.

With language dependent APIs, you can use these only in apps that are written in a particular language. It implements specific syntax and components of that particular programming language to help make it easier to use the API in any situation. When it comes to language-independent APIs, these are written in ways that can be used by any application, regardless of the language in which it has been coded..

Speaking of SDK, it comprises a set of tools, which can be used when developing software apps for any specific platform. When developing Android applications, a developer is required to download the Android SDK from the Android developers’ website. An SDK comprises a variety of tools, documentation, sample code and libraries, which help app developers to create apps.

SDK and API Fingerprint Integration

A number of companies are creating ecosystems that comprise integrated services. These are capable of communicating with one another. The data can be seamlessly shared across these ecosystems. An engagement with large communities of developers is brought about to create apps and services, and integration among these.

Moreover, tech firms are striving hard to ensure that developers can create ecosystems, such that many services can be brought together to develop services that can be integrated with these systems. With this come training material, SDKs, tools, APIs, and videos.

This is applicable to biometric software’s solution firms. Now, biometric software firms will get developers to use SDK and APIs to create presence and revenue. To integrate fingerprint hardware, developers would require fingerprint SDK that will allow them to access fingerprint hardware features and API, which can communicate with other software or services. For example, to integrate fingerprint hardware with an Android app, a developer needs to get the Android SDK and target API level. API level is determined by the Android versions the app wants to have compatibility with. SDKs and APIs are often available on the software/service provider’s website and can be downloaded by anyone. In cloud biometrics, applications integrated with fingerprint sensors need to communicate with remote servers on each request.

This communication is made possible only by APIs. Biometrics as a Service or cloud biometrics service providers also provide APIs that can communicate with external services and software.

Some device hardware manufacturers like Samsung provide SDK and API for their devices to securely integrate apps with fingerprint hardware. User can use Android’s generic API or devices manufacturer’s APK as required. Apple also provides iOS SDK and Touch ID API for fingerprint authentication. Unless a poor integration of projects, you will find a poor-quality performance and the project may fail.

Conclusion-

Fingerprint authentication is an integral part of technology these days and will change the future of data security of smartphones.

 


Clicking an image could have hacked the WhatsApp

Users of WhatsApp Web (the browser-based version of the app) were recently targeted with an image-based security threat where simply clicking an image could have hacked their accounts.

A security vulnerability was present in WhatsApp Web and it was recently patched by WhatsApp. By exploiting this vulnerability, an attacker could send a malicious code (virus or malware) hidden within an image to their target. And clicking this image would let the attacker take control of the victim’s WhatsApp account and access all its data – pics, videos, chats, contact lists, everything. And by having access to the contact list, the attacker could send the same infected image to the victim’s contacts – spreading it to others and making this attack into some kind of a fission reaction – one infection leads to another and so on.

The same security vulnerability was also detected in the browser-based version of another popular messaging app Telegram. Good news is, the flaw has been fixed for both of them.

Points to remember:

  • This security flaw does not affect the mobile apps of WhatsApp and Telegram. This does not mean that these apps won’t be affected in the future.
  • Avoid clicking documents, images or links received from unknown numbers.
  • If received from a known sender, ask them about what the content is about.
  • Always use an updated version of mobile apps.
  • Install a reliable mobile antivirus that can detect and block installation of fake or harmless apps.

Google offering $2.7 million USD to hack Chrome OS

Google is going to offer $2.71828 million USD to researchers who can hack its browser- based operating system, Chrome OS as part of its Pwnium hacking contest to be held in March this year. Pwnium 4, will be hosted at the CanSecWest security conference in Vancouver, Canada.

"Security is a core tenet of Chromium, which is why we hold regular competitions to learn from security researchers. Contests like Pwnium help us make Chromium even more secure," Google said in a blogpost.

"With a total of USD 2.71828 million in the pot, we'll issue Pwnium rewards for eligible Chrome OS exploits at USD 110,000 for browser or system-level compromise in guest mode or as a logged-in user, delivered via a web page, Google will also pay USD 150,000 for providing an exploit to be able to persistently compromise an HP or Acer Chromebook, i.e. hacking the device to retain control even after a reboot.

The earlier editions of Pwnium competitions focussed on Intel-based Chrome OS devices, but this year Google will allow researchers to also choose from ARM-based Chromebook, the HP Chromebook 11 (WiFi) and the Acer C720 Chromebook (2GB WiFi) based on Intel's Haswell microarchitecture.

Google said it would consider larger bonuses this year to researchers who demonstrated what it called a "particularly impressive or surprising exploit".

"New this year, we will also consider significant bonuses for demonstrating a particularly impressive or surprising exploit. Potential examples include defeating kASLR, exploiting memory corruption in the 64-bit browser process or exploiting the kernel directly from a renderer process," it said.