An Empirical Study on Fingerprint API Misuse with Lifecycle Analysis in Real-world Android Apps
Xin Zhang
Network and Distributed System Security (NDSS) Symposium 2025 · Day 3 · Android Security 2
This talk, presented by Xin Zhang from Fudan University, delves into the pervasive security vulnerabilities stemming from the misuse of **Fingerprint-Based Authentication (FBO)** APIs in real-world Android applications. As FBO becomes a ubiquitous security feature, integrated into sensitive scenarios like account logins, app unlocking, and payment authorizations, its secure implementation is paramount. The research highlights that despite its convenience, the underlying Android APIs are complex and frequently mishandled by developers, leading to significant security risks.
AI review
Solid empirical security research with a genuinely novel contribution: the lifecycle framing of FBO misuse that surfaces two new attack classes (unauthorized deactivation, mishandled enrollment updates) that prior work missed entirely. 184 CVEs across a 1,333-app corpus is not a theoretical exercise — that's real damage quantified at scale.