Android Pie has a lot of small-sounding but very significant changes to Android's core. We see that with every upgraded version of Android, and often these changes are surrounding security. Google has a vested interest in keeping Android secure enough that the average user doesn't need to worry about the how or the why — the company needs you on the internet and using internet services to make money. In Android Pie we see one big change to the most convenient thing that ever happened to keep your phone secure: biometrics.
Biometrics is letting part of you prove that it's really you.
Biometrics is the "art" of using a unique-to-you body feature as a secure way to identify yourself. We're most familiar with fingerprint scanners, but biometrics cover facial recognition and iris scanning and even voice printing. Anything that's uniquely you can be used as your identity with the right equipment and algorithms looking at it. Fingerprint scanning makes it easy to put a lock on your phone's screen, and from a user standpoint, it's what got people to start doing it. The next step will be accurate facial recognition. We already see companies using it and calling it secure, and it's been part of Android since Ice Cream Sandwich, though Google will tell you it's not a secure method to unlock your data.
That's about to change. With Android 9, Google has added an entirely new security model for biometrics. Building on a feature-set introduced in Android 8.0, Google has a new way to verify the accuracy of biometric data, a new set of features that can use the idea to test the accuracy, a new model that splits biometric security into weak and strong, and finally a public API that developers can use to tap into this whenever they need to properly identify the user.
What makes biometrics "strong"?
Google introduced what it calls SAR/IAR metrics (Spoof Acceptance Rate / Imposter Acceptance Rate) that measure how, and how easily, an attacker (that's the common word security pros use for "person who wants in your phone") can get around a properly built biometric security implementation. Think of someone using a good photo of your face to fool face unlock and that's spoofing while changing the way you look to fool a face scanner as Imposter attempts.
Culling the weak is hard work. Thankfully, Google is doing it all.
These SAR/IAR scores are used to determine if a biometric security system is strong or weak. Using a score of 7% (that means 93% percent effective 100% of the time) because that's the score given to a proper implementation of a fingerprint scanner in a modern Android phone as the baseline, strong biometrics will have access that weak biometrics won't.
Both methods are OK to use to unlock your phone. But biometrics classified as weak won't be able to authenticate for payments or access an auth-bound key (a special authentication key that an app has created only for its own use) for any type of monetary transactions. You'll also be required to use a strong biometric feature or manually enter a password or pin after four hours of not using your phone if you use weak biometrics to sign in. Most importantly, weak biometrics won't be able to use the new Android Pie BiometricPrompt API to say you are really you.
Let Google do the work and developers use an API
The BiometricPrompt API depends on strong biometric features returning a value that says you are a match before it acts as successful. This means it will be more difficult to fool a face scanner with a photo, for example. By having a way for every developer to tap into a set of known strong authentication techniques, developers won't have to implement their own or depend on weaker and less secure methods. This is a big deal to the IT security team at your bank. It's also a big deal to anyone who wants to trust that an app or service is properly built to keep your identity and login safe.
Developers will be able to use the BiometricPrompt API with a support library to allow older versions of Android to benefit, too.
We won't notice a difference other than not being able to use sub-standard ways of proving who we are to give access to sensitive data about ourselves. We don't need to notice a difference, and something like this new API is best when we don't — it was done correctly because it's invisible to the user. It's what marketing people like to call "magical," because we don't know or need to know how it works as long as it works all of the time.
We expect Google to make use of this new feature with the Pixel 3's login prompt, and a support library allows a developer to use the new API on older devices. These are the kinds of changes Android needs to move forward and it's great seeing them done. Here's hoping its as successful in practice as it looks on paper.
Updated August 2018: Android 9 Pie is officially out! We've replaced all mentions of Android P to reflect its official name.
