July 18, 2023

    Biometric Authentication is Not Mobile App Security

    Biometric authentication is a popular security feature used by many mobile applications allowing users to authenticate themselves with their fingerprints, faces, or other unique biological characteristics without the need to enter usernames and passwords manually.

    This built-in smartphone security feature is a convenient way to improve the security of your user authentication to prevent unauthorized access while enhancing your user experience. But is it enough? What about other attack vectors that may use reverse engineering and app tampering? Does biometric security protect you against them?

    In this blog post, we discuss how complementing biometric authentication with code protection solutions like DexGuard and iXGuard can ensure the highest security for your mobile apps.

    What is biometric authentication on mobile apps?

    Biometric authentication on mobile applications is a form of user verification that relies on biometric sensors, such as fingerprint scanners or facial recognition cameras, that are built into most modern mobile devices. Biometric authentication on mobile applications can be used for various purposes, such as:

    • Access control: restricting access to certain features or functions of the app based on the user's identity;
    • ATM user authentication: verifying the user's identity before allowing them to withdraw cash or perform other transactions;
    • Biometric payments: enabling users to pay for goods or services with their biometrics instead of a card or a PIN;
    • Customer onboarding: simplifying the process of registering new customers by using their biometrics as part of the eKYC (electronic know your customer) verification;
    • Fraud prevention: detecting and preventing unauthorized or fraudulent access or transactions by using biometrics as an additional factor of authentication;
    • Single sign-on (SSO): allowing users to seamlessly login to multiple apps or services using their biometrics instead of using different credentials.

    That being said, biometric authentication on mobile apps does not replace the need for username and password login method - at least for now. It is mostly used as a supplementary authentication method on top of a user's username and password. For instance, in most banking apps, users are required to first set up and log in with their username and password, before being given the option to activate the passwordless login feature via the device’s built-in sensors, scanners, or cameras.

    Why should you consider offering biometric authentication?

    Biometric authentication allows users to easily and quickly access an app without having to remember or type in their username and password, by pressing on the fingerprint scanner or looking into the cameras on their mobile phones. Although it is by no means impenetrable, biometric authentication can be more secure than the traditional username-password authentication method as, unlike passwords, biometric features cannot be forgotten and easily replicated, stolen or shared. By incorporating more factors such as “something that the user knows” (username and password), “something that the user owns” (smartphone), and “something that the user is” (biometry) into your authentication mechanism, you can exponentially improve the security of your user authentication on your mobile apps.

    Different devices provide different levels of biometric security

    Despite the convenience it offers, the level of security this feature provides is highly dependent on the device where the app is installed - for instance, the device’s hardware and software capabilities. Different devices may have different types of biometric sensors - such as optical, capacitive, or ultrasonic fingerprint scanners, or infrared or RGB cameras for face recognition - impacting the accuracy and reliability of the authentication. Additionally, different devices may also have different levels of encryption and protection for the biometric data stored on the device. For example, some devices may use a dedicated secure element or a trusted execution environment to store and process the biometric data, while others may use a less secure keychain or shared preferences.

    Biometric authentication cannot protect your mobile app code

    As explained above, biometric authentication verifies an end user for account access to access restricted capabilities or to validate a transaction. It does not prevent an attacker from downloading the app and scanning the code for vulnerabilities to reverse engineer and tamper or modify the app. It does not encrypt, obfuscate or harden your app code and data. Once granted access, the user can access your app code and look for vulnerabilities or even ways to bypass biometric authentication.

    Attackers can use tools such as Frida or Xposed to hook into the app’s processes and manipulate its behavior or functionality to extract or modify the app code and assets without triggering any biometric verification. This can consequently compromise your app’s integrity, performance, quality, and reputation. It can also expose your app’s secrets, such as encryption keys, API keys, credentials, algorithms, and other IP. This can lead to data breaches, IP theft, damage to brand reputation, and legal liabilities (e.g., due to fraud) that will ultimately result in loss of revenue.

    Guardsquare protects your mobile app code

    DexGuard and iXGuard protect the Android and iOS mobile app code, respectively, from static and dynamic attacks, such as debugging, hooking, memory dumping, or code injection. Guardsquare's solutions automatically apply multiple layers of advanced code hardening techniques, such as encryption, data and control flow obfuscation to prevent reverse engineering of your apps. A number of runtime application self protection (RASP) checks are also added to detect attackers who try to compromise your app at runtime. The polymorphic protection approach resets the clock for threat actors, rendering their previous knowledge about your app useless. The code protection is integrated into the app’s code, making the protected code device-independent meaning it will work on any device that runs the code.

    Once your mobile apps are fully protected, ThreatCast can provide real-time security insights into the different types of threats your apps are facing. For example, ThreatCast can detect whether the app is running on a jailbroken/rooted device, emulator, or virtual environment, being used with debugging and hooking tools attached, being repackaged, having access privileges elevated, and much more. These insights are extremely useful in helping you determine where and how your app is being attacked, and how to strengthen your code protection in your subsequent releases.

    Conclusion

    Biometric authentication contributes to the “security by design” paradigm by strengthening the security of user authentication in your apps. However, it does not protect your mobile app code, leaving the mobile apps vulnerable to static and dynamic attacks. So, in addition to leveraging biometric authentication, mobile app developers should carefully consider implementing security measures to protect the app code from unauthorized modification using solutions such as DexGuard and iXGuard. Real-time threat monitoring solutions like ThreatCast will help you stay ahead of the attackers by allowing you to promptly react to the security threats your apps are facing.

    Contact us and learn how Guardsquare can protect your mobile apps from reverse engineering and tampering. You can also scan your app for security vulnerabilities for free using AppSweep.

    Discover how Guardsquare provides industry-leading protection for mobile apps.

    Request Pricing

    Other posts you might be interested in