Android - Where and how securely is fingerprint information stored in a device
I have been reading quite a bit about fingerprint sensors and their growing presence in smart phones. I understand that at the basic level, there is a digital image that gets registered and it serves as a template for authentication. I understand that fingerprint related processing takes place in a Trusted Execution Environment. However, I would like to know where the "template" gets saved and in what format?
Answer
Trusted Execution Environment (TEE)
Google has made a noteworthy step in the right direction by moving all print data manipulation to the Trusted Execution Environment (TEE) and providing strict guidelines for fingerprint data storage that manufacturers must follow.
All fingerprint data manipulation is performed within TEE
All fingerprint data must be secured within sensor hardware or trusted memory so that images of your fingerprint are inaccessible
Fingerprint data can be stored on the file system only in encrypted form,
regardless of whether the file system itself is encrypted or notRemoval of the user must result in removal of the user's existing fingerprint data
Root access must not compromise fingerprint data
Data Source infinum.co