- A Xiaomi user has demonstrated how to access the video feed from their phone’s in-display fingerprint sensor.
- The info was garnered by installing an app that gives users access to hidden activities within the device.
- While the image quality is low, this does raise a number of security questions.
Have you ever wondered what your optical in-display fingerprint sensor can see? Well, a Xiaomi user has done just that, unearthing a few security questions in the process.
As demonstrated on Reddit, the Xiaomi Mi 9T user can access the imaging feed from the Goodix-made optical in-display fingerprint sensor on their device after installing the Activity Launcher app. The app, which gives users access to hidden activities within the device, also allows access to calibration menus, factory tests, and other demos.
As expected, the image quality from the Xiaomi Mi 9T’s sensor is pretty horrid. The video feed is jittery, while the image itself is decidedly low-resolution compared to what you’d get from a selfie camera. Fingerprint sensors aren’t designed to focus beyond the glass on which your fingertip rests, so it doesn’t necessarily mean malicious actors can spy on users through this sensor.
What is worrying though is that end-users can access this information through an app, potentially leaving the door open for malicious actors. XDA-Developers editor-in-chief Mishaal Rahman points this out in a Twitter thread of his own. “OEMs really shouldn’t be leaving these debug apps in production builds…” he writes.
A Redditor found a hidden activity on a Xiaomi phone that lets you see the raw feed from Goodix’s optical under-display fingerprint scanner.https://t.co/RKpjDTdgzG
OEMs really shouldn’t be leaving these debug apps in production builds… pic.twitter.com/fnEpvPZtol
— Mishaal Rahman (@MishaalRahman) August 10, 2020
The Reddit user does note that the app was a third-party download and did not come preinstalled on the device. Regardless, it’s possibly more worrying that a third-party app can gain access to these hidden activities so easily on the phone.
Developers require access to these debugging tools to address issues or streamline processes within their apps where authentication may be needed. However, biometric data is also required to be secured behind a phone’s Trusted Execution Environment, a secure area of the device’s processor. This is one of the criteria for devices to meet Android’s compliance standards.
Following the original user, others have tried to gain access to their devices’ fingerprint sensors too, but it seems a terrible idea for inexperienced users. One Poco F2 Pro owner’s in-display fingerprint sensor “stopped working” after accessing calibration menus.