How does Android save your fingerprints?

The release of an iPhone without a fingerprint sensor has brought along some talk about using fingerprints for authentication and how securely the data is stored. That's awesome. Even if you're not concerned about how it's done, you need a lot of other people to be concerned so that it's done in a way you don't have to worry about!

For starters, Apple uses a similar solution and if you have an older model with a fingerprint sensor you're just as safe using it as you were before. The same goes for older Samsung phones that launched pre-Marshmallow and used Samsung's own methods.

The way Google stores your fingerprint data is the most secure way possible with current tech. It's also fascinating how simple the overview of the whole thing is once you have a look at it. Simple and secure is always a winning combo.

Storage is, by its nature, not very secure. It's the same thing as writing something on a post-it note and putting it in a file cabinet. It's there because it needs to be there, and the best thing you can do is control who has access to it. For a file cabinet, you use a lock, and for your phone, you use encryption. For your fingerprint data, things go one step further: a Trusted Execution Environment (TEE).

A TEE is a separate and isolated area in the phone's hardware. A TEE might use its own processor and memory or it can use a virtualized instance on the main CPU. In both cases, the TEE is fully isolated and insulated using hardware-backed memory and input/output protection. The only way you will be getting in is if the TEE lets you in, and it never will. Even if the phone is rooted or the bootloader unlocked, the TEE is separate and still intact.

A separate processor with its own memory and operating system are used to analyze and store your fingerprint data.

Google uses what they call Trusty TEE to support this. A very small and efficient operating system, appropriately named Trusty OS, runs on the TEE hardware and kernel drivers allow it to communicate with the system. There are Android libraries (you guessed it: the Trusty API) for developers to use so they can ask what amounts to a yes or no question to the TEE. Not just fingerprint data is stored in the TEE. Things like DRM keys and manufacturer's bootloader encryption keys also live in the TEE and work the same way your fingerprint data does — answer whether data presented to it by an application matches the known good data it's storing.

Other manufacturers can use Trusty OS or then can use a different system. As long as all the criteria are met (listed below) and the TEE is isolated and insulated it will meet the security standards needed to use Pixel Imprint (formerly Nexus Imprint).

ARM TrustZone TEE block diagram.

ARM TrustZone TEE block diagram.

When you register a fingerprint on your Android phone, the sensor grabs the data from the scan. Trusty OS analyzes this data inside the TEE, then creates two things: a set of validation data and an encrypted fingerprint template. This appears to be junk data to everything except the TEE who also has the key to decipher that junk data. This encrypted fingerprint template is stored in an encrypted container either on the TEE or on your phone's encrypted storage. Three encryption layers mean it's nearly impossible to get the data, and even if you could it's useless without a way to decipher it.

Android requires your fingerprint data to be secured with a unique key, and you can;t take it to another phone or reuse it for another user.

The validation data is stored inside the TEE. When you place your finger on the scanner to try and do something, the scanner builds a profile of data. Through the Trusty API, the associated application asks the kernel to ask the TEE if it's right. The TEE checks against the stored validation data using its separate processor and memory, and if enough of the data matches it says yes. If there isn't enough matching data, it says no. This pass or fail response is sent back to the kernel as a software token that the API can read to see the result.

While the TEE itself uses a standalone OS and hardware to stay secure, the fingerprint template uses software-based encryption. It must be signed by a very specific key to be valid. This key is created using device-specific information, user-specific information, and time-specific information. In other words, if you remove a user, change devices or attempt to re-register a fingerprint (the system can tell if you're overwriting an existing fingerprint) the key is no longer recognized and can't be used to decrypt the fingerprint template.

The basic rules that every company making Android phones with a fingerprint sensor have to follow:

  • All fingerprint data analyzation must be performed inside the TEE
  • All the data associated with a fingerprint must be stored in the TEE or in trusted memory (memory that the main CPU can't even see)
  • Fingerprint profile data must be self-encrypted even if stored in encrypted phone storage
  • Removing a user account must also securely wipe any data associated with that user's fingerprints
  • Where fingerprint profiles are stored must not be visible to any application, process, or user including the root user
  • Fingerprint data of any kind must not be backed up to any other source, including the cloud or your computer or any application
  • Fingerprint authentication must be used by the process that requested it (no sharing of any fingerprint data, even just the yes or no answer to see if it was correct)

When you have a few standard specifications that are clear, it's not difficult to meet them. This is what makes sure that no matter what Android phone you're using your fingerprint data will be stored safely and no other system process or app can get access to it. As cryptography evolves, especially hardware-backed encryption, so will this method of keeping your fingerprint data safe. It will be interesting to look back once Android Z launches and see how far we've come.

Jerry Hildenbrand
Senior Editor — Google Ecosystem

Jerry is an amateur woodworker and struggling shade tree mechanic. There's nothing he can't take apart, but many things he can't reassemble. You'll find him writing and speaking his loud opinion on Android Central and occasionally on Twitter.

  • Once again, another great read by Dr. Gerry!
  • *Jerry
  • Thank you doctor! Wonder if Apple's face mapping tech stores your data in a similar fashion for FP's or if they went with something new.
  • Ah, thanks for that link.
  • Great article!
  • Storing the data in software is not the same as storing it on the hardware in something like the Apple Secure Enclave. This is a rather poor comparison, and the Android solution is nowhere near as secure. One system guarantees that the data is only accessible on the actual hardware, locally, and the other can be accessed anywhere with the encryption keys.
  • Trusty TEE uses discrete hardware on the SOC, but no less physically separated. You may want to dive a little deeper in presenting what you consider to be the inherent differences with the secure enclave, as I am not understanding what you are presenting here.
  • As Jerry has explained, even on Android the fingerprint data is not accessible anywhere other than the device that created it. Apple is just very good in advertising their stuff while most Android manufacturers fail to sell the really amazing science that’s happening on their devices.
  • BS
  • Very interesting stuff. Thanks, Jerry!
  • Great article, thanks!
  • Jerry,
    Awesome article. We wondered how it worked. Thanks and please keep the great articles coming!
  • Since the courts ruled biometric data can be forced to gain access to your device, I'm not using any of that on a phone. I'd rather take teh few extra seconds to enter my lock code, which the courts can't force you to divulge.
  • Cool story, bro.
  • I love having no rights.
  • Jerry, are you still not using fingerprint yourself?
  • Its sad that Banks like TD will allow their "secure" apps to use Apple's fingerprint authentication techniques but is still no where close to allowing it on the Android ecosystem. Shame on you TD and the rest of the Canadian Banks!
  • I've complained to TD about this as well. Ridiculous when my cable provider's app supports fingerprint authentication when my damn bank app doesn't.
  • So this doesn't prevent an application from saving the data it sends to TEE for validation - and then using it again when you're not presenting your fingerprint. I don't know if that's a security hole or not - presumably the app can do whatever it does any time. it's only using the fingerprint to ask for permission. And I guess if an app wants to do stuff without asking for permission, there's nothing to stop that. So having the saved fingerprint info isn't of much use. Or am I missing something?
  • You're missing that an App can never access the fingerprint, not even when the user touches the sensor. As a developer who just finished an application that uses it, I can tell you the process is just "tell the system you're expecting a finger and the system just gives you a yes or no" when it happens.
    Jerry didn't explained and I really don't, but probably even the Android Linux kernel doesn't have access to it, like just direct wire the sensor with the Trusty processor
  • You are apparently missing a lot.
  • I guess so. I had thought that the physical scanner was still read by the Android OS - and only the encrypted stored fingerprints were TEE-only. But apparently the whole thing, including the scanner and its driver are in the TEE OS. So apps (even with root) never see raw fingerprint data at all. Hmmm. Does that mean that the scanner can't be read by Android at all - or just that it's not read by Android when verifying fingerprints? How do tricks like 'swipe down on the fingerprint sensor to open the notification shade' work? Surely Android gets to see raw scanner data when doing that, no?
  • Lol, yep, fingerprints weren't enough, Apple wants your facial data now. The meme going around, with the CIA thanking Apple, is quite funny.
  • This 🤣👍
  • Considering fingerprint and facial identification doesn't leave the device, I find it hard to believe Apple is data-mining this information.
  • When your fingerprints and pictures are already on the internet, people already have access to your password since it is no longer private. My prints were taken when the security clearance database was hacked. Facebook and Snapchat are already building 3d stereoscopic models of your face from all the photos being shared. Having it stored on the device is pointless without total privacy of your biometric data.
  • This is a GREAT article, Jerry; thank you. As a follow-up: given this description and the security of TEE even on rooted and/or bootloader-unlocked phones, why can't applications such as Samsung/Android Pay continue to be used after rooting? I kept my Galaxy S6 unrooted for almost two years because rooting would "trip KNOX," violating the security controls that enabled Samsung Pay to function. It seems like using TEE instead of KNOX would be a solution...?
  • Because of the way Samsung Pay works it still has to live in the OS. It requires much more than a simple "yes/no" interaction. Samsung Pay requires a full GUI in order for you to be able to load cards and pick which card you are going to use. It also must access the internet every so often to get tokens for payment (it doesn't actually use a static card number like swiping your card does, hence the additional security against retailers having data breaches). Because of this it can not live in something like the TEE. Therefor, a rooted phone could possibly have the payment information compromised and should not be able to run Samsung Pay or Android Pay as that would undermine the security of such a payment service.
  • Thank you! Very nice explanation.
  • The short version is that devices don't store your actual fingerprint. They store a digital signature that is associated with your fingerprint. This, in itself, would not be secure except that a part of that digital signature is a key unique to the device itself. This means that that bit of data extracted to another device would be useless. The bits about the TEE just make it that much harder to get to the signature, which is useless even if retrieved. A properly designed biometric security system can be as secure as you want to make it. The problem of revocation, however, still hasn't been solved.
  • So if someone gets access to your fingerprints, how do you change your password? Plus many youth sports are requiring fingerprints. How secure are these and how long until someone reverse engineer biometric security?
  • Good stuff.
  • Does blackberry store fingerprints similarly or do they do it differently?
  • DTEK60, our most recent secure Android cell phone, includes the first-ever biometric sensor incorporated with a BlackBerry gadget. BlackBerry Fingerprint Sensor gives upgraded security, as well as included comfort. It's simply one more case of the equipment and programming segments that are deliberately chosen to furnish BlackBerry clients with the most ideal experience. we've additionally built our Fingerprint Sensor to be exceptionally secure. Unique finger impression information doesn't ever leave your telephone, as it's encoded and put away only in the BlackBerry Secure Compound. A trusted execution condition for touchy information and applications, the Secure Compound is approved as a major aspect of DTEK60's safe boot process and is difficult to reach to outsider applications. Up to five clients can store their fingerprints per DTEK60, and once a client is expelled from the gadget their unique finger impression layout is promptly eradicated. Source ::
  • Fascinating article, as always. Way over my head. How can the average consumer ever understand technology at this level. We have to take so much on trust every day.