Session 9A: Android Security 2
Authors, Creators & Presenters: Xin Zhang (Fudan University), Xiaohan Zhang (Fudan University), Zhichen Liu (Fudan University), Bo Zhao (Fudan University), Zhemin Yang (Fudan University), Min Yang (Fudan University)
PAPER
An Empirical Study on Fingerprint API Misuse with Lifecycle Analysis in Real-world Android Apps
Fingerprint-based authentication (FpAuth) is increasingly utilized by Android apps, particularly in highly sensitive scenarios such as account login and payment, as it can provide a convenient method for verifying user identity. However, the correct and secure use of Android fingerprint APIs (FpAPIs) in real-world mobile apps remains a challenge due to their complex and evolving nature. This paper presents the first systematic empirical analysis of FpAPI misuses in Android apps from the perspective of the FpAuth lifecycle. First, we develop specialized tools to identify and analyze apps employing FpAPIs, examining their characteristics. Then we define the threat models and categorize four prevalent types of FpAPI misuses through a detailed lifecycle analysis in practical settings. Finally, we develop tools to automatically detect these misuse types in 1,333 apps that use FpAuth and find alarming results: 97.15% of them are vulnerable to at least one type of misuse, with 18.83% susceptible to all identified misuse types. The consequences of such misuses are significant, including unauthorized data access, account compromise, and even financial loss, impacting a broad user base. We have responsibly reported these vulnerabilities, resulting in the issuance of 184 CVE IDs and 19 China National Vulnerability Database (CNVD) IDs, as well as acknowledgment from 15 vendors. We hope this work can raise awareness and emphasize the importance of proper usage of FpAPIs.
ABOUT NDSS
The Network and Distributed System Security Symposium (NDSS) fosters information exchange among researchers and practitioners of network and distributed system security. The target audience includes those interested in practical aspects of network and distributed system security, with a focus on actual system design and implementation. A major goal is to encourage and enable the Internet community to apply, deploy, and advance the state of available security technologies.
Our thanks to the Network and Distributed System Security (NDSS) Symposium for publishing their Creators, Authors and Presenter’s superb NDSS Symposium 2025 Conference content on the Organizations’ YouTube Channel.
Permalink
*** This is a Security Bloggers Network syndicated blog from Infosecurity.US authored by Marc Handelman. Read the original post at: https://www.youtube-nocookie.com/embed/8BIAK3uEr0g?si=PolsydgpfDN2_klz
