Testing biometric apps: privacy and security with Eran Kinsbruner
Eran Kinsbruner is a senior director at Perfecto, an enterprise software company, and a mobile web expert with over 20 years of experience in app development and testing.
Kinsbruner works with major companies like Verizon, Lloyds Bank, and Singapore Airlines to test and ensure their compliance with users’ biometric data.
Biometric Update has recently spoken with him about user privacy laws, what developers should know about testing biometric authentication, and how apps should store biometric data to remain secure.
Mandating mobile applications
“Biometrics, mobile devices, and user sensitive data are becoming top of mind for everyone,” Kinsbruner tells Biometric Update.
“It was always top of mind but recently it has become even more significant […] If you look at Google and Apple, the main mobile providers, they’re already working hard, around policy reports, policy statements.”
Kinsbruner then mentions Google’s recent choice to start mandating mobile application developers on Android to specify what permissions and third-party libraries their app requires to access.
“And not just which things are being used by the applications, but also why the application requires such sensitive access,” Kinsbruner explains.
The move represents proof that privacy policies and end users’ privacy are becoming increasingly more important, the engineer says, also due to recent events of end-users being attacked by third parties.
“I think that what happened in Afghanistan is maybe an extreme here, but it’s not a specific end-user incident. It’s not like someone has been using a mobile application through biometrics and the application wasn’t secure enough and things slipped into the wrong hands.”
According to Kinsbruner, once applications grant the third party permission to data from the device, that opens the doors to several nefarious scenarios, potentially gravely affecting users’ privacy.
“Now the gate is open to everything that you have on your phone, your contacts, your photos, your location history, everything that you have in your life, kind of becomes available to the third party if it’s not properly secured.”
Changing privacy perception in mobile biometrics
However, Kinsbruner also believes that big names in tech are becoming more aware of these issues, and have started working to solve them.
“Developers are being asked by Google to start declaring all of the information within the application into the new Google Play console as part of the new Google Play Safety section.”
In addition, the release of custom chips by Google and Apple also hints at this change.
“Google [just] launched their new Pixel 6 series using the new Tensor chipset, which aims to be not just faster and highly performing sensor but they claim it to be also more safe and secure from a biometric standpoint.”
Similarly, Kinsbruner says, Apple also moved to improve users’ control over privacy, security, when it started producing its own chipsets last year.
“They took it away from Intel, Google took it from Snapdragon and Qualcomm […] So, this is proof that things are changing.”
Shifting the balance of compliance
Thanks to these changes, Kinsbruner believes the pressure to create biometrically secure apps now falls on developers.
In other words, it is up to them to make sure the apps are in line with technical compliance documents that include all the biometrics and performance requirements from the device manufacturers.
“These are the things that a developer has no control of […] This is the given reality for mobile application developers, with which they need to cope. And they are starting to explore new options, to overcome some of these [privacy] challenges.
For instance, Kinsbruner mentions the rise of progressive web applications that can have a single codebase to maintain and run across multiple platforms.
By exploiting this technology developers can exercise more control over the different platforms that they are deploying the application on to with a single policy,
“So think about Flutter, […] a framework that you can use to develop a single application and deploy it on your desktop, browsers, on your iOS device, and on your Android device. And yes, you can access these applications through biometrics and other different authentication methods, but again it comes from a single source code.”
And because they are mostly based on web technology, these apps are also easier to work with because in most cases they don’t go through the app stores.
“So I’m not saying that the entire market is going to move towards a single code base, but we see different plans and different workarounds of organizations trying to gain more control, within a single codebase, through Progressive Web Applications and Flutter applications.”
Perfecto’s biometrics testing
Regardless of the type of technology, however, Kinsbruner notes that developers must adhere to the strict, industry-specific requirements when creating biometric apps.
“If the application is for the healthcare industry, it needs to have EPA compliance, if it needs to serve a financial customer base, it needs to have PCI DSS compliance. Everything needs to kind of go through [specific] security standards.”
Because of this, code needs to be confirmed as very secure, either through processes of static code analysis and dynamic code analysis or by running compliance scans.
To perform these scans, Perfecto has partnered with NowSecure, a vendor of penetration testing and security testing for mobile applications.
“They are actually taking an application and tearing it apart, whether it’s built with third party libraries, open-source components […] and making sure that it doesn’t violate or exposes any sensitive information.”
Even if apps do not go through the App Store or Google Play, they still need to be both secure and safe, Kinsbruner says.
Companies are investing much more over the past few years in what is called ‘shift left’ security testing and compliance. This refers to a development approach which includes security considerations earlier in the cycle.
Increasing biometrics systems testing
According to Kinsbruner, the increased awareness of companies in regards to this shift has caused many of them to invest more in the testing of biometrics apps.
“They have a kind of a database and do a lot of data-driven testing on the biometrics front as part of their authentication phases. And I think that […] 15 percent of the test automation today goes through the login screen.”
Talking about Perfecto’s experience with app testing, Kinsbruner says the company serves a number of large enterprises, across different verticals, including airlines, financial and insurance companies, and telcos.
“These clients are developing a lot of automated testing with the framework that I mentioned, but they’re using a lot of data delivery scenarios across biometrics possibilities, just to make sure that they are not really missing anything from a security standpoint.”
And these growing investments are not only in security testing but also consequently in the further development of biometrics technologies, including face recognition and fingerprints, as well as two-factor authentication (2FA) systems.
“I don’t think [Perfecto] has even a single customer who doesn’t support 2FA. So it’s all part of the authentication test suite that is being executed across each build of the technologies.”
Evolving mobile biometrics
Kinsbruner also believes that biometrics technologies on mobile are fast changing.
“We’re already transformed into a digital reality, especially after COVID, so everything is digital today, everything can be accessed either through your mobile browser or your mobile device operating system if it’s a native app.”
The technology expert particularly mentions foldable smartphones, and the implications the new form factor will have on biometrics.
“[For instance,] you have two different screens with three applications running in the foreground, so think about three applications trying to authenticate at the same time, in parallel.”
So, while investments in this sector are already present, Kinsbruner also believes companies should step up their efforts even further.
“[They] need to actually be even more advanced, because technology is becoming smarter with 5G and other connected IoT (Internet of Things) devices that communicate with your smartphones.”
The future of biometric apps
On this note, Kinsbruner believes the future of biometrics resides in IoT devices, with an ensuing change in how biometrics in mobile are perceived and developed.
“Especially with the new wave of digital technologies, infotainment, and Apple and Android cars, you see that cars are actually augmenting what you have on your mobile phone and cars do not authenticate your application […] through the fingerprint or your face.
Instead, users unlock the device via a mobile app, which then grants access to the car’s system.
“So I do think that the future of biometric authentication, the future of authentication, privacy, and security is going to change.”
Kinsbruner thinks that, while fingerprint and facial recognition are going to remain important, they will become smarter to be able to support all the other extensions of mobile phones.
“Whether it’s the smart cities that are working with your device through 5G, whether it’s your car, whether it’s your home or your Alexa and whatever devices that are working with your device.”
This will become necessary, Kinsbruner explains, because from a security perspective, it would not be wise to have a single smartphone’s biometrics as the gateway to all the other devices that users might need in the future.
“You’ll need a much wider control point or system to the other extended devices, which means biometrics and stuff will probably need to be expanded or extended to support the other types of communication.”