Malware and Fingerprints, the best phone security solution?
Losing a smartphone can result in a catastrophic security breach considering these devices are potential treasure troves of confidential corporate and personal information waiting to be exploited by anyone who comes across them. Due to this, a mobile device security industry has sprung up over the last few years, offering everything from simple data encryption for mobile apps to complex mobile device management systems.
However the most basic level of security is provided by the devices themselves. Devices lock themselves if they are idle for a few minutes. So if a thief, a hacker or even a foreign government agent wants to access the data on a phone, in most cases he must unlock it first. This therefore begs a simple question: What’s the best unlock mechanism to choose – and in this context “the best” means one that provides the most appropriate balance of security and convenience.
There are 3 basic solutions that can be used to secure your data or information. These are namely Perils of the PIN, Android’s Unlock Patterns as well as Malware and Fingerprints. One can simply choose from the above mentioned security solutions and in some cases, some use two or all of them at once.
Today Eyetro Digital looks at Malware and Fingerprints and how best it can be used in as far as phone security is concerned.
The best way to avoid the shoulder surfing problem is to avoid using PINs, passwords and unlock patterns. This can be done easily on an iOS or Android device with a fingerprint reader, by using fingerprint recognition to unlock the device.
But there are problems with fingerprint readers that shouldn’t be overlooked. Security Research Laboratories has been at the forefront of showing how these can be spoofed – sometimes by lifting a latent fingerprint from the touchscreen and using that to make a false finger. For many people this is more of a theoretical than a practical concern, because few thieves or people finding your device will have the knowledge or desire to try fingerprint spoofing.
A more realistic concern is posed by malware. In August a team of researchers from security firm FireEye revealed at the Black Hat conference in Las Vegas how stored fingerprints can be remotely harvested from some Android devices such as the Samsung Galaxy S5 and HTC One Max.
Most Android device makers don’t make use of Android’s Trust Zone to protect biometric data like fingerprints, and the HTC One Max actually stores fingerprints as unencrypted images that unprivileged processes or applications can read and download from the phone, the researchers found.
This means that an attacker could also conceivably upload an image of their own fingerprint using malware to gain access to a phone. Fingerprint readers are a special hazard for people traveling internationally, warned Schlabs. Many countries, including the U.S., take high resolution fingerprint scans of foreigners as they cross the border. “They can take a picture that is at least as high resolution as the picture taken on an iPhone, for example, and from that they can make a spoof fingerprint,” he said.
He has this advice for travelers. “If you are an average citizen that never leaves the country and are not a target of foreign agencies, then for most people a fingerprint reader offers good security and convenience. But if you are someone who is crossing border controls then there is no good reason to use the fingerprint reader on your phone.”
Instead he recommends using a good old fashioned lockscreen password or PIN – with the provisos that it is six or more characters, is not an obvious one and, if it is a PIN, doesn’t spell out a simple word on a phone keypad.