Many consumers like the security of locking their smartphone with a fingerprint. That security approach works if the phone manufacturer adequately protects consumers' fingerprints. It seems that the phone manufacturer HTC is not doing enough to protect consumers' sensitive and very personal fingerprint information. The Register reported:
"Four FireEye researchers have found a way to steal fingerprints from Android phones packing biometric sensors such as the Samsung Galaxy S5 and the HTC One Max. The team found a forehead-slapping flaw in HTC One Max in which fingerprints are stored as an image file (dbgraw.bmp) in a open "world readable" folder... Yulong Zhang, Zhaofeng Chen, Hui Xue, Tao Wei say in the paper Fingerprints On Mobile Devices: Abusing and Leaking [PDF] presented at Black Hat in Las Vegas last week that most device manufacturers fail to use Android's Trust Zone protection to safeguard biometric data."
That means the fingerprint information wasn't encrypted. That means any person or app accessing files on the phones can access (and steal) users' fingerprint information. This is a no-no in data security. This should not happen. This is data security 101.
"Internet hyperbole (and financial analysis) have rendered HTC, a once high-flying mobile brand, essentially valueless. In short, the company is trading below cash on hand which means if you bought all HTC stock the company would have to pay, you, the buyer to take it over. This means the company’s factories, stock, and brand are worth nothing, at least on Wall Street. Furthermore, the researchers have discovered that the HTC One Max X has been keeping fingerprint biometrics used to unlock the cellphones in an unencrypted “world-readable” file, a definite no-no in the world of security. Hackers could easily open the file /data/dbgraw.bmp on the phone’s memory and capture your fingerprint data. It’s bad. In short, HTC is hosed."
Lately, the news hasn't been good for smartphones that run Google's Android operating system. Last month, researchers found a security flaw that would let hackers access Android phones via a text message. With access, hackers can view, copy, and delete files, remotely take over the camera, and remotely take over the microphone.
The security flaw highlighted the fact that while Google had developed a patch to fix the flaw in the software, it was up to the phone manufacturers (e.g., HTC, Samsung, etc.) and wireless carriers (e.g., Verizon, T-Mobile, etc.) to distribute the software security update to users. And, some vendors provided updates far faster than others.
Another reminder to consumers that when you buy a smartphone, you are doing business with several companies: the phone manufacturer, the developer of the operating system, the wireless carrier, and the dveloper of each mobile app. The security of your phone is only as strong as the weakest vendor.