Protect your customer data and your reputation with our state-of-the-art security
Secure valuable gaming revenue streams & maintain user trust with our Unity integration
Secure your e-commerce revenue & safeguard data by layering mobile app protection
Biometric authentication is a popular security feature used by many mobile applications allowing users to authenticate themselves with their fingerprints, faces, or other unique biological characteristics without the need to enter usernames and passwords manually.
This built-in smartphone security feature is a convenient way to improve the security of your user authentication to prevent unauthorized access while enhancing your user experience. But is it enough? What about other attack vectors that may use reverse engineering and app tampering? Does biometric security protect you against them?
Biometric authentication on mobile applications is a form of user verification that relies on biometric sensors, such as fingerprint scanners or facial recognition cameras, that are built into most modern mobile devices. Biometric authentication on mobile applications can be used for various purposes, such as:
That being said, biometric authentication on mobile apps does not replace the need for username and password login method - at least for now. It is mostly used as a supplementary authentication method on top of a user's username and password. For instance, in most banking apps, users are required to first set up and log in with their username and password, before being given the option to activate the passwordless login feature via the device’s built-in sensors, scanners, or cameras.
Biometric authentication allows users to easily and quickly access an app without having to remember or type in their username and password, by pressing on the fingerprint scanner or looking into the cameras on their mobile phones. Although it is by no means impenetrable, biometric authentication can be more secure than the traditional username-password authentication method as, unlike passwords, biometric features cannot be forgotten and easily replicated, stolen or shared. By incorporating more factors such as “something that the user knows” (username and password), “something that the user owns” (smartphone), and “something that the user is” (biometry) into your authentication mechanism, you can exponentially improve the security of your user authentication on your mobile apps.
Despite the convenience it offers, the level of security this feature provides is highly dependent on the device where the app is installed - for instance, the device’s hardware and software capabilities. Different devices may have different types of biometric sensors - such as optical, capacitive, or ultrasonic fingerprint scanners, or infrared or RGB cameras for face recognition - impacting the accuracy and reliability of the authentication. Additionally, different devices may also have different levels of encryption and protection for the biometric data stored on the device. For example, some devices may use a dedicated secure element or a trusted execution environment to store and process the biometric data, while others may use a less secure keychain or shared preferences.
As explained above, biometric authentication verifies an end user for account access to access restricted capabilities or to validate a transaction. It does not prevent an attacker from downloading the app and scanning the code for vulnerabilities to reverse engineer and tamper or modify the app. It does not encrypt, obfuscate or harden your app code and data. Once granted access, the user can access your app code and look for vulnerabilities or even ways to bypass biometric authentication.
Attackers can use tools such as Frida or Xposed to hook into the app’s processes and manipulate its behavior or functionality to extract or modify the app code and assets without triggering any biometric verification. This can consequently compromise your app’s integrity, performance, quality, and reputation. It can also expose your app’s secrets, such as encryption keys, API keys, credentials, algorithms, and other IP. This can lead to data breaches, IP theft, damage to brand reputation, and legal liabilities (e.g., due to fraud) that will ultimately result in loss of revenue.
DexGuard and iXGuard protect the Android and iOS mobile app code, respectively, from static and dynamic attacks, such as debugging, hooking, memory dumping, or code injection. Guardsquare's solutions automatically apply multiple layers of advanced code hardening techniques, such as encryption, data and control flow obfuscation to prevent reverse engineering of your apps. A number of runtime application self protection (RASP) checks are also added to detect attackers who try to compromise your app at runtime. The polymorphic protection approach resets the clock for threat actors, rendering their previous knowledge about your app useless. The code protection is integrated into the app’s code, making the protected code device-independent meaning it will work on any device that runs the code.
Once your mobile apps are fully protected, ThreatCast can provide real-time security insights into the different types of threats your apps are facing. For example, ThreatCast can detect whether the app is running on a jailbroken/rooted device, emulator, or virtual environment, being used with debugging and hooking tools attached, being repackaged, having access privileges elevated, and much more. These insights are extremely useful in helping you determine where and how your app is being attacked, and how to strengthen your code protection in your subsequent releases.
Biometric authentication contributes to the “security by design” paradigm by strengthening the security of user authentication in your apps. However, it does not protect your mobile app code, leaving the mobile apps vulnerable to static and dynamic attacks. So, in addition to leveraging biometric authentication, mobile app developers should carefully consider implementing security measures to protect the app code from unauthorized modification using solutions such as DexGuard and iXGuard. Real-time threat monitoring solutions like ThreatCast will help you stay ahead of the attackers by allowing you to promptly react to the security threats your apps are facing.