Skip to main content

The most important news from the Android Security recap had nothing to do with malware

The funny thing about security, of course, is most of us on the end-user side of things tend to not worry about it until it's too late. That's natural, of course. It's why we close the barn door after the horse is long gone.

For most of us, security isn't sexy — it's a hindrance. It's our IT department requiring us to change an already pain-in-the-ass-to-remember password to another pain-in-the-ass-to-remember password that we haven't used once before — and then we write it down and leave it under our keyboard anyway. It's why our PIN codes are fewer characters than they would be — or why we forgo them at all on our devices.

Fingerprint sensors are changing that. They're making it easier than ever to keep our devices locked, but still make it relatively easy for the phone owner to unlock. Comparing the 2013 Nexus 5 and 2014 Nexus 6 — two phones that don't have fingerprint sensors — to the 2015 Nexus 5X and Nexus 6P, Google found that lock screens were being used about 64 percent more often — on about 91 percent of those new phones.

Galaxy S7 Fingerprint

That little tidbit is perhaps the most promising news to come out of Google's "Android Security 2015 Year In Review." (Read the PDF here.) It's not as sexy as learning how many billions of scans were performed in the background, or how small a percentage of devices ever come in contact with a "Potentially Harmful App." But combined with the 43 percent increase in use of the Android Device Manager — which helps you locate, lock and/or wipe a missing device — it's perhaps the single-most important thing anyone can do to safeguard their data.

There is one last hurdle, however. Tablets.

By now the Samsung Knights are screaming that their chosen devices have had fingerprint scanning for years. And indeed they have, and Samsung should be commended for that sort of forward (if proprietary, at the time) thinking. But by moving the fingerprint scanning support into the whole of Android and not just a (large) subset of devices means that any manufacturer can take advantage of this increased security. And that any app developer can tap into the APIs to make their apps more secure.

And that there's now absolutely no excuse for any of us to not have a lockscreen set on our phones.

There is one last hurdle, however. Tablets. Again, a scant few models have fingerprint readers. Samsung is the Android leader in this, naturally. But not even Google's own Nexus 9 or Pixel C tablets have the hardware to support fingerprint security. That's something we'd love to see change in the next Nexus iteration, even while we continue use other on-device security mechanisms like Smart Lock, which allows you to bypass the lock screen when connected to a trusted Bluetooth device, or in a preset location.

Fingerprints are more secure than geofencing. They're easy to use. And they shouldn't be overlooked.

39 Comments
  • Absolutely agree, the fingerprint scanner on my Note 5 finally got me to lock my screen, I didn't for years I just couldn't be bothered with the time it took to unlock the device.
    Now both of my devices , my Note5 and my Nexus 5x are locked with my fingerprint. I know it's not full proof but it's loads better than no security.
  • Agreed. It was the Note 5 that got me to do it too: at first I was quite frustrated that the fail rate was so high, but eventually I found out I was using it wrong, and that I'D learn to place my fingers correctly to unlock it right 90% of the time. Now on my S7 and Tab S2, I lock my devices with fingerprint, and when I went back to the Moto X 2014 when my Note 5 had just been sold (and awaiting the arrival of my S7), it felt SO antiquated, even though I was using Smart Lock. And what a difference 6 months makes: Moto has gone from no fingerprint on any devices, to basically confirming the feature across its entire lineup for this year.
  • +1 Posted via the Android Central App
  • I remember reading somewhere that LEO's can't force you to divulge a password or PIN, but they can force you to surrender your finger. Not sure if that's true or not, but it's an important distinction for the tinfoil hat crowd.
  • From my cold, dead ... wait.
  • http://blogs.wsj.com/digits/2014/10/31/judge-rules-suspect-can-be-requir... Kind of. Not sure if any other states followed this absurd logic. I wonder if this is partly why Samsung and others are requiring a password now in Marshmallow in addition to a fingerprint during certain situations. Posted via the Android Central App
  • Yes, that's right. Which is why Samsung and Apple require you to enter a PIN after turning off your device.
  • I believe the best thing to do in that situation, if your going to resist unlocking your phone, is to power down your phone before they even approach your vehicle(most likely situation I am guessing when dealing with LEOs). The fingerprint scanner can't be used and forces the person to type in a password. They can't access your phone. Now a court order...
  • You are correct. A judge in Virginia Beach ruled that a defendant can be compelled to use his fingerprint to unlock their phone, but not a passcode.
    http://pilotonline.com/news/local/crime/police-can-require-cellphone-fin...
  • Yup. As someone who is in Virginia for most everything from grocery shopping to buying gas, this bothers me a little bit. Like the person above said, require a passcode to start your phone and hit the power button if you see the blue lights in your mirror.
  • Yes, that's what the law says, which is why I read somewhere that you should turn off your device before you get arrested as your biggest priority if there's any "sensitive" data on the phone. Not that most of us would ever have any problems with that, but yeah.
  • Cue the pendants who will point out that you can spoof a fingerprint reader, and biometric attributes cannot be revoked. Both true but both criticisms are missing the big picture. We can't let the perfect destroy the good.
  • Agree that's a dumb argument. If I'm in the position where someone is going to spoof my fingerprint to get into my phone, I probably have bigger problems than not using a lockscreen.
  • It's actually not a dumb argument at all. Having worked in the biometrics arena for years, I can say it's a very valid concern. It may not matter to _you_, much like privacy doesn't matter to some, but that doesn't negate the validity of the concern and the importance in general. I'm not going to actually make the arguments, because every time anyone does, the conversation just devolves into yelling and name calling. I invite anyone who even cares enough to read these comments to actually do research and become educated before dismissing it out of hand.
  • I agree. But there's also a difference between theoretical and practical. They're absolutely not mutually exclusive — the theoretical is important as hell, and I'm glad Google has super-smart people working on it. But for me, the practical is of more concern.
  • Agreed. It's the main reason why I will not buy a chinese phone. Why would I willingly give my unchangeable biometrics to companies that are subsidized and share information with the Chinese government? To save one or two hundred dollars on a phone? Thanks but no thanks.
  • *Pedants. Sorry, completely irresistible in this case! You're right though, these very real (real in the sense that they're possible, not plausible) concerns are easily outweighed by the fact that a fingerprint sensor is even more convenient than not having a lock screen, so there's no real excuse to not lock your device down. It's best to assume I'm being sarcastic. if I'm ever serious I'll type "/s" to make it clear.
  • If my typo offended you, I apologize.
  • I wish companies like samsung would be clearer about how safe my fingerprint data is on their phones. I don't care about spoofing. I can't change my fingerprints like a pin or password if remotely stolen. I read that sometimes it's encrypted or not and the reader can be intercepted while scanning. Either way I'm not trusting any company that does clearly state how secure they are with the fingerprint data. Fingerocalypse is coming unless we prepare!!!! Edit: my issue is with remote fingerprint data theft. Posted via the Android Central App
  • I'm sure it's pretty safe. Just don't go committing crimes in south korea as they now have your finger print.
  • Lol, I'm a law abiding boring dude but there is something creepy enough about others having my fingerprints that makes me slowly reach for my tin foil roll... Posted via the Android Central App
  • It's not having a physical copy of the fingerprint that is worrisome to me. One day, someone will find a way to easily crack the encryption method that stores the raw data gathered from a fingerprint, then spoof it. That compromises every device that uses that data, until a newer method is found to encrypt it. Using your fingerprint to authenticate yourself is no different than using the same password on everything — a practice that everyone says is bad. Having said that, I do agree that having a fingerprint sensor is a good thing because it gets people to lock their phones. That benefit outweighs all the drawbacks for now.
  • That's true. Either way, once your fingerprint is out there you can never use it to secure stuff again. That alone merits more scrutiny concerning how it's handled vs pins/passwords. Posted via the Android Central App
  • True dat!
  • Then we'll move on to a Gattaca-style login, when your phone will prick you and analyze a blood sample to get past the lock screen. ( :
  • So been reading the comments, but have to make a point. First thing in most modern fingerprint implementations (not sure if the old samsung finger uses the same implementation), the raw data is store directly on the CPU and it's a BEAST to get at. It is very similar to how TPM chips lock away passwords on PCs. For someone to want to get at information on YOUR phone, you would have have some serious expertise and LOTS AND LOTS of money. Basically more than your data is worth probably. Second, (someone help me with this) I was under the impression that a fingerprint scanner actually needed a LIVING finger in order to work, so someone couldn't just 'cut off your finger' or else just take a printout of your finger in order to unlock the phone. I am sure I read that in several places.
  • 1 — Yes. Android uses the TEE (trusted encryption environment) on die inside the SoC to store encryption data. Agreed that right now, it's damn near impossible to crack open. 2 — Nope(?). there was a (now removed) post on a Google Group from a medical examiner assistant who set up both Apple Touch ID and the Galaxy S5 fingerprint scanners with a corpse, then was able to unlock them. Of course, that could have been a hoax — this is the internet. You can also copy fingerprints then print them (with multiple passes from an inkjet printer or a filament printer) onto thin latex. This was successful at fooling Apple's Touch ID, and I suspect it would also fool Android's implementation. I'm not suggesting that this is easy or practical, just possible. I'm more worried about someone getting access to the encrypted data than I am someone lifting my fingerprints from an old beer bottle.
  • There will always be people smart enough to figure out how to make things more secure. There will also always be people equally as smart who will figure out how to undo it. Fortunately, out of billions of people on the planet, the smart enoughs don't number that many. Posted with my LG G4 6.0 via the Android Central App
  • People....lock your devices Posted via the Android Central App
  • I would like to see a fingerprint unlock timeout setting. Say about every six hours. You may end up in a hospital due to illness or injury. Now that many banking apps are using the fingerprint scanner to log in.
  • My Note 5 does something similar to this, but I'm unsure of the specifics. Sometimes it requires me to enter my password, instead of my fingerprint, due to "security protocols."
  • My dad's phone is the first phone he has that includes a fingerprint scanner. He didn't lock his older phones because he uses it so often, to the point where a screen lock would drive him mad, even though I feel that it's needed as he stores a lot on his phone. Because his current one finally has a FPS, he can lock his phone rather securely while having a quick and easy method to unlock it. There might be some security concerns over the spoofing of biometric data, but ultimately, I would rather take fingerprint authentication over no authentication anyday of the week.
  • Exactly. This was my point. You have to not only look at all attack vectors but the relatively probability of success with each vector. Just because something is possible doesn't make it probable. Over Christmas I went through all of my mom's key accounts and reset the password to a very long random string. I then put the passwords in a spreadsheet and printed it out and taped it to her desk. Security purists would faint at this prospect. However, the probability and potential consequences of her being attacked over the Internet far exceeds the likelihood of a person entering her house and using those passwords. Previously, I tried to get her to use a password safe but she kept forgetting to use it and ended up resetting her passwords to her common passwords, usually some variant of her name.
  • I'm also annoyed by having to unlock my phone constantly when I want to use it.. Which is why I've always used the settings to lock X minutes after the screen turns off, rather than to immediately lock. Optionally with the power button instantly locking it, as a safety measure. Works well since I don't have a phone with a fingerprint scanner anymore (my old Fujitsu Android phone in 2012 had one /brag)
  • I'm not personally too worried about the implications of fingerprint scanners. I have nothing to hide, but I do like the convenience of it to lock my device so people can't pick it up and use it. As for tablets, a new Nexus 9 with fingerprint scanner would be my fave. Make it happen, Google!!! Posted from one of my various Nexus devices.
  • A fingerprint is no more secure than a pattern or code.. You dont NEED the fingerprint.. It's a false sense of security. Posted via Techmology
  • No
  • This doesn't necessarily solve the LEO issues, but for tablets I really like the W10 iris scanner. Very "Wrath of Khan"! and fast too Posted via the Android Central App
  • I'm not totally sold on the idea of fingerprint scanners, but at least it's making people use SOME security instead of none. Personally I use smart lock in conjunction with a pin. At least on my phone. I confess, I don't use anything on my tablet because it rarely leaves the house. I still probably should I suppose. I'm going to do that now, using my WiFi as a smart lock item. If someone breaks in to my house, they'll have to steal all my data before they leave. Posted via the Android Central App