In-Display fingerprint scanners are becoming an increasingly popular authentication method in almost all modern smartphones. While this technique is considered unique and highly secure, but it does have one drawback as recently discovered by a Reddit user.
The Reddit user (u/ntelas46) has discovered a flaw in the hidden system settings of the Xiaomi Mi 9T that allows you to view what the micro-camera of the optical fingerprint scanner captures. Xiaomi uses in-display fingerprint scanners in many of its mid-range and high-end smartphones.
To support his claim, the user posted a video demonstrating this “feature” on the Reddit forum. As seen in the video, the Reddit user can be seen accessing the imaging feed from the Goodix-made optical in-display fingerprint scanner of his Xiaomi Mi 9T user after installing the Activity Launcher app, as per a report by Android Authority.
This app gives him access to hidden activities in his phone as well as access to calibration menus, factory tests, and other demos.
The image and video quality from the fingerprint scanner is edgy and of very low-resolution. Those interested in checking out how the optical fingerprint scanner works can try their luck by following what one Reddit user commented, “Download “activity launcher”, search for “fingerprint” and select what I selected on the video. Keep in mind you need an amoled phone with an in display fingerprint.”
Reacting to the post, Mishaal Rahman (@MishaalRahman), a Reddit User and also a member of XDA-Developers portal, said that the vulnerability is dangerous and needs to be blocked. He argues that this flaw lies in the firmware and not the security of the sensor.
A Redditor found a hidden activity on a Xiaomi phone that lets you see the raw feed from Goodix's optical under-display fingerprint scanner.https://t.co/RKpjDTdgzG
OEMs really shouldn't be leaving these debug apps in production builds… pic.twitter.com/fnEpvPZtol
— Mishaal Rahman (@MishaalRahman) August 10, 2020
While it is not possible for someone to spy through the in-display fingerprint scanner, what is concerning that end-users can access hidden activities by using a third-party app, potentially inviting malicious actors.
Xiaomi has not yet commented on the discovery of the flaw in its devices that has display fingerprint scanners nor has it provided any information whether it will patch it.