How does Android save your fingerprints?

How does Android save your fingerprints?

And how secure is it?

The release of an iPhone without a fingerprint sensor has brought along some talk about using fingerprints for authentication and how securely the data is stored. That's awesome. Even if you're not concerned about how it's done, you need a lot of other people to be concerned so that it's done in a way you don't have to worry about!

For starters, Apple uses a similar solution and if you have an older model with a fingerprint sensor you're just as safe using it as you were before. The same goes for older Samsung phones that launched pre-Marshmallow and used Samsung's own methods.

The way Google stores your fingerprint data is the most secure way possible with current tech. It's also fascinating how simple the overview of the whole thing is once you have a look at it. Simple and secure is always a winning combo.

Storage is, by its nature, not very secure. It's the same thing as writing something on a post-it note and putting it in a file cabinet. It's there because it needs to be there, and the best thing you can do is control who has access to it. For a file cabinet, you use a lock, and for your phone, you use encryption. For your fingerprint data, things go one step further: a Trusted Execution Environment (TEE).

A TEE is a separate and isolated area in the phone's hardware. A TEE might use its own processor and memory or it can use a virtualized instance on the main CPU. In both cases, the TEE is fully isolated and insulated using hardware-backed memory and input/output protection. The only way you will be getting in is if the TEE lets you in, and it never will. Even if the phone is rooted or the bootloader unlocked, the TEE is separate and still intact.

A separate processor with its own memory and operating system are used to analyze and store your fingerprint data.

Google uses what they call Trusty TEE to support this. A very small and efficient operating system, appropriately named Trusty OS, runs on the TEE hardware and kernel drivers allow it to communicate with the system. There are Android libraries (you guessed it: the Trusty API) for developers to use so they can ask what amounts to a yes or no question to the TEE. Not just fingerprint data is stored in the TEE. Things like DRM keys and manufacturer's bootloader encryption keys also live in the TEE and work the same way your fingerprint data does — answer whether data presented to it by an application matches the known good data it's storing.

Other manufacturers can use Trusty OS or then can use a different system. As long as all the criteria are met (listed below) and the TEE is isolated and insulated it will meet the security standards needed to use Pixel Imprint (formerly Nexus Imprint).