htc-one-max-silver

Is the HTC One Max’s Fingerprint Scanner As Secure as HTC Says It Is?

October 15, 2013 - Written By Lucian Armasu

Whether HTC wanted to do this first or Apple, it doesn’t really matter. What matters much more, though, is who’s doing it right, or at least secure enough, and from what HTC is saying about the HTC One Max‘s fingerprint security, it doesn’t seem nearly as secure as what Apple has:

PhoneArena: How do you store the fingerprint data? Is it stored in a secure “enclave” inside the chipset, similarly to how Apple stores fingerprint data with the iPhone 5s? Does HTC have access to the fingerprint data stored by users on their One max phones? Is it possible for HTC to share this data with third-parties?

 HTC: The fingerprint data is stored in local memory. It is encrypted and stored in the system partition, which can’t be readily accessed or copied. The fingerprint data is not an actual image but fingerprint characteristics that have been identified by a proprietary algorithm. No, HTC does not have access to the information and the fingerprint cannot be used by a third party.

I’m not much of a fan of these technologies, because even if they are ultra secure today, just look at the craziness of what happened to Lavavit, which the feds asked to implement a backdoor for them to be able to read all e-mails. So who’s to say Apple or others won’t compromise the security of their devices in the future, if the feds ask them or coerce them into doing it?

Chances are you won’t even know about it, until years later if it gets discovered (remember even Apple used the much hated Carrier IQ software for years, to collect data on its users, and they gave up on it like a month before the whole scandal happened), or until a new whistleblower comes forth and tells everyone about it. However, by then, they will already have fingerprints from hundreds of millions of people, and good luck trying to make them turn them over, while deleting all over their copies.

So then what do you do? If it’s a password that got stolen, at least you can change it. If your finger’s fingerprint gets stolen, you won’t be able to use that fingerprint for the rest of your life, if you want to be secure (you’ll have to use other fingers).

Now, leaving that whole NSA thing aside, and assuming it’s never going to happen (which is wishful thinking at this point), Apple’s Touch ID does have some pretty strong security by default, and here are the ways in which it’s more secure than the HTC One Max.

1) Secure Enclave

HTC says the fingerprint information is stored on the flash storage, on the /system partition. Is that “secure”? Sure. But only about as secure as every phone that has been rooted so far. For expert hackers, it’s not going to take long to break into this.

Apple uses ARM’s TrustZone (Apple calls it a secure enclave), which is a separate part of the chip designed specifically for this sort of stuff (including stuff like DRM or mobile payments encryption). It’s not infallible, but it should be about an order of magnitude harder to crack. HTC could’ve done the same, too, and the fact that they didn’t tells me they did a rushed job on this.

2) ARMv8 Hardware Encryption

Fingerprint technology that’s secure and convenient enough may not be that possible until everyone moves to 64-bit ARMv8 chips. The ARMv8 architecture provides much faster hardware-level encryption than ARMv7, and it’s probably one of the reasons why Apple decided to switch so fast to ARMv8. HTC once again shows that it cares more about “being first” (or one of the first in this case) to market with something, instead of waiting to do it properly.

3) Second Level of Security

If an iPhone is stolen and someone tries to break the fingerprint encryption, the phone will activate a second level of security (with a passcode) if it hasn’t been unlocked in 48 hours, or it has been rebooted. That should once again diminish the hackers’ ability to crack the phone’s security. So far HTC hasn’t mentioned anything about that, and I doubt they did it. Apple clearly thought well about every aspect of the security here, while HTC just did the “minimum necessary” to launch the product to market with “fingerprint technology”.

It’s not all bad, though. I was worried HTC would actually store the fingerprint data as is, instead of storing a mathematical representation of it (a hash), but at least it seems they’ve done that. They also say they have no access to it themselves, nor do other 3rd parties, which isn’t really saying much. It just says they don’t have a cloud connection to it, which is something I expected, but at least it checks that off the list, too.

Fingerprint technology worries me enough as it is, once hundreds of millions of people start using it, but not doing it properly, at the very least so it’s not easily hackable (but probably still vulnerable to government coercion) worries me a lot more, and I wish Android OEM’s would do this once they’re sure they’re doing it right, instead of rushing it to the market to win bragging points that they were “first”. Hopefully, the FIDO standard that will be available next year for Android devices will be secure enough.