What are the privacy implications of using fingerprint to unlock your phone when using a FOSS android ROM?
Should it be avoided? Is it worth it?
Discussion
I believe it's a question like his can a Foss ROM like graphene limit/block something bad from Google's firmware. It would be ideal (and the biggest problem ATM) to have Foss firmwares in that regard.
I would like to believe that the firmware just hashes the biometric signals and forgets about them. But I found nowhere that verifies this.
A lot of faith in that process...I see degoogled as a temporary solution as it's still made by google "aosp". IMO the final solution is something like a pinephone, with a risc-v SOC and risc-v modem, with Foss firmwares.
Is quoting Daniel Micay useful?
https://www.reddit.com/r/GrapheneOS/comments/f16p7o/comment/fh4vrj3/
Great question
best not use iris finger dna unlocking methods.
as seen in movies chopping a dead man/woman's finger is far easy to unlock phone
Inputing passcodes seems somehow worse. Not only can someone easily sneak peek or record it, they can also analyze the dirt on the screen to figure out the areas that are more pressed.
Yes, and having to input a passcode every time encourages the use of weak ones instead of a good alphanumeric one
Thats why Graphe OS allows you to scramble the PIN input panel.
fingerprint is worst password - can it case easily copied by anyone some knowhow of Forensic science
iris scan even worser - user can held at gunpoint to eyes open
any biometric authentication is hazard to person's physical health - dead man owns no fking bitcoin
If it's a GrapheneOS installed using the official guide to a Pixel, I trust it with my fingerprint.
This article has some good info about how fingerprints are handled by an android phone:
https://infinum.com/blog/android-fingerprint-security
Nothing is impossible, but having a back-door to steal your fingerprint would be a lot more difficult than following you and collecting your prints off something that you touched. Alternatively, your fingerprints can be extracted from a good-resolution photograph of your hands.
So... Fingerprints are not super secure, but your phone stealing them is not so likely.
You leave copies of your fingerprint everywhere, and you can't change it - IMO, if fingerprint was a password, it would be the worst password ever, worse even than 123456. Really the computer equivalent of hitting Enter at the password prompt.
But fingerprints are user IDs, not passwords - so the security-conscious approach would be fingerprint+password; and if screen dirt residue is a concern, use a scrambled keypad. Or just wipe the screen on your shirt :)
exactly ๐๐งก
Really depends on your security needs. Would give access to your data to everyone with physical access to your phone and your hand. If such a situation seems unlikely in your life, it probably is fine to use them.
If you're in or from the usa, biometrics don't require a warrant from a judge. If you're entering the usa via any border, the usa border agents can demand you unlock your device, if you don't comply they can refuse you entry (if non american citizen, non green card, or non visa holder) or put you in holding cell till you comply (if citizen, green card holder, or visa holder).