Fooling Phone Fingerprint Sensors

Forbes describes an interesting 2016 case in which police were unable to lock the Samsung Galaxy S6 that belong to a murder victim.

When Dr. Anil Jain was approached by the Michigan State University Police Department to unlock a murder victim’s Samsung Galaxy S6 using a fingerprint clone, he didn’t think the solution would be so cheap. But he told FORBES that the equipment needed to produce the high-definition print cost under $500. What’s more, he said, the same technique, at the very least, can unlock the Samsung Galaxy S7 and the iPhone 6. And American cops are already hungry to use the hacking technique in other cases where they’re struggling to get evidence from smartphones.

. . .

All Lansing could provide, though, were the prints on file, which were missing parts of the fingers’ ridges and valleys. And the researchers had no idea which finger the man had used on his phone, meaning they’d have to create copies of all 10 digits.

It wasn’t much to go on. But Jain worked alongside Kai Cao, post-doctoral scholar, and Sunpreet Arora, PhD student, to try out numerous methods to unlock the Samsung phone. At first they put together some basic high-definition 2D prints. They failed. The academics, who’ve specialized in biometrics for more than 20 years, then moved to creating a full 3D print, using equipment worth tens of thousands of dollars.

. . .

When they called the police in for a third attempt at cracking the Samsung, the researchers tried three different 2D prints with varying levels of enhancement — going too low or too high wouldn’t match the biometric record on the Samsung device. The third time, they got lucky. In five minutes the device was open and the Lansing cops went away happy. The 3D prints didn’t work at all.

Android really needs to up its security game. It’s ridiculous that iOS is so much more secure in general, and that there’s such a variance in security on Android between manufacturers who add (or don’t) additional security enhancements.

Google Sucks…and It’s Going to Get Worse

One of the odd things about technology is that a good portion of users of a given company’s technology tend to become fanboys of that company. So when Apple bans a game that mocks its (and other tech companies) labor practices, you will find no shortage of defenders of that and even worse decisions or practices.

For some people, apparently, the technology they use and love becomes such a part of their identity that the thought that the company that makes the technology might do awful things is threatening and has to be countered at every opportunity.

A better way to think about our relationship to corporations who make the products we use everyday might go something like this: these companies suck. They don’t care about the same things their customers do (except, to the extent their customers are also worried about the company’s quarterly profits and stock price). Occasionally, the interests of customers and a corporation interests overlap, but when something changes the corporation will screw the customers over and not even bother to buy them dinner.

Take Google’s Android. Every phone I’ve ever owned has been an Android. When all is said in done, I prefer both the Android OS to Apple’s iOS, and I prefer Google’s business practices to Apple’s.

But I harbor no illusions that Google is anything but a ruthless profit maximizer whose “Don’t be evil” slogan is about as reliable as Tim Tebow’s deep pass threat.

AdBlock Plus

Google had no problem, for example, banishing AdBlock Plus from the Google Play store. Google’s justification for removing AdBlock Plus and other ad block apps was that they “interfere with or accesses another service or product in an unauthorized manner,” which is a violation of the Play Store’s Terms of Service.

What AdBlock Plus actually does is run in the background on Android as a proxy and removes ads. The nice thing is it removes ads both within web browsers as well as in-app ads.

So Google’s claim is that any software that lets a user install a proxy and to use that proxy to filter incoming data is a violation of the Google Play Store’s TOS. A clear-cut case where Google’s interests as an advertising sales company suddenly conflicts harshly with the interests of its customers.

The nice thing about Android is I can get AdBlock Plus up and running on my phone without needing to root/jailbreak it. Unlike Apple’s model for iOS, I can download AdBlock Plus directly and install it or turn to alternative app stores. Of course, it also knows that the average Android phone owner is probably not going to know how to do that or be willing to do that.

The Future

I suspect things like this are going to happen more frequently.

One of the things that Android fan boys have been celebrating is Android overtaking iOS in smart phone market share. This is a mistake–personally, I was hoping Android would continue to play second fiddle to iOS.

Many of the things that make Android great, including Google’s general handling of Android, are byproducts of Android needing to overcome the iOS juggernaut. Android is more open than iOS simply because Google had no other choice if it wanted to overcome Apple’s market lead.

As Google’s market lead becomes solidified and some of its decisions to open source Android start to bite back at Google, I suspect it will take Danny Sullivan’s advice and ultimately create a closed phone OS.

And then it will be time to look for other projects or companies where, for now, the interests of customers and the company coincide, such as the phone OSes being developed by Canonical and The Mozilla Foundation.