- A Xiaomi user has demonstrated how to access the video feed from their phoneâ€™s in-display fingerprint sensor.
- The info was garnered by installing an app that gives users access to hidden activities within the device.
- While the image quality is low, this does raise a number of security questions.
Have you ever wondered what your optical in-display fingerprint sensor can see? Well, a Xiaomi user has done just that, unearthing a few security questions in the process.
As demonstrated on Reddit, the Xiaomi Mi 9T user can access the imaging feed from the Goodix-made optical in-display fingerprint sensor on their device after installing the Activity Launcher app. The app, which gives users access to hidden activities within the device, also allows access to calibration menus, factory tests, and other demos.
As expected, the image quality from the Xiaomi Mi 9Tâ€™s sensor is pretty horrid. The video feed is jittery, while the image itself is decidedly low-resolution compared to what youâ€™d get from a selfie camera. Fingerprint sensors arenâ€™t designed to focus beyond the glass on which your fingertip rests, so it doesnâ€™t necessarily mean malicious actors can spy on users through this sensor.
What is worrying though is that end-users can access this information through an app, potentially leaving the door open for malicious actors. XDA-Developers editor-in-chief Mishaal Rahman points this out in a Twitter thread of his own. â€œOEMs really shouldnâ€™t be leaving these debug apps in production buildsâ€¦â€� he writes.
A Redditor found a hidden activity on a Xiaomi phone that lets you see the raw feed from Goodixâ€™s optical under-display fingerprint scanner.https://t.co/RKpjDTdgzG
OEMs really shouldnâ€™t be leaving these debug apps in production buildsâ€¦ pic.twitter.com/fnEpvPZtol
â€” Mishaal Rahman (@MishaalRahman) August 10, 2020
The Reddit user does note that the app was a third-party download and did not come preinstalled on the device. Regardless, itâ€™s possibly more worrying that a third-party app can gain access to these hidden activities so easily on the phone.
Developers require access to these debugging tools to address issues or streamline processes within their apps where authentication may be needed. However, biometric data is also required to be secured behind a phoneâ€™s Trusted Execution Environment, a secure area of the deviceâ€™s processor. This is one of the criteria for devices to meet Androidâ€™s compliance standards.
Following the original user, others have tried to gain access to their devicesâ€™ fingerprint sensors too, but it seems a terrible idea for inexperienced users. One Poco F2 Pro ownerâ€™s in-display fingerprint sensor â€œstopped workingâ€� after accessing calibration menus.