It has been reported that Google is developing native support for a secure biometric authentication feature similar to Apple’s Face ID in the forthcoming Android Q smartphone operating system release. Writing on the XDA-Developers Portal site, Mishaal Rahman points to “dozens of strings and multiple methods, classes and fields related to facial recognition in the framework, SystemUI and Settings APKs” of a leaked Android Q build that is up-to-date as far as Google’s Android Open Source Project (AOSP) internal master version is concerned.
This AOSP Android Q build included lots of features that are sure to get Android fans fired up. A dark mode theme that’s system-wide and works with apps that don’t come with a dark mode built-in, a whole bunch of changes to the way Android Q handles app permissions especially those concerning location and a ‘force desktop mode’ developer option that hints at something similar to Samsung DeX according to the XDA-Developers Portal report.
However, it’s the discovery of code that relates to a new facial recognition authentication system which could bring Face ID-like security to handset unlocking, app logins and for payments that is the most interesting. This will be a major step forward for Android devices in my never humble opinion. Sure, some handset vendors already have their own versions of Face ID operating in Android smartphones already. The Mate 20 Pro from Huawei springs immediately to mind. The problem here is that Huawei has had to work hard on tweaking and customizing Android in order to bolt on the necessary operating system support for that facial recognition hardware.
While there is nothing to suggest that the Huawei implementation is in any way insecure, bolting-on and OS-tweaking are never going to be as inherently secure as native support within Android itself. As we have seen from numerous Internet of Things examples, the cost and complexity implications of security that isn’t baked in can often lead to less than secure results. Native support for facial recognition in Android-powered devices should reduce both the cost and the complexity that bespoke biometrics introduce, which has to be a good thing. Or is it?
“Facial recognition in Android? Wow so exciting, but not really so helpful for security in my opinion” Ian Trump, head of cybersecurity for AmTrust International told me. There are two main reasons for his caution regarding facial recognition on smartphones: firstly, Trump wonders how accurate it will be and also worries it has more the feel of a convenience mechanism rather than a security win about it. Not that it’s all bad of course, as Trump points out “I’m a passcode person; will always be a passcode person, but I get that a feature like facial recognition may be a way to encourage folks to secure their Android device.”
Which, in my never humble opinion, is a big deal. Getting the consumer on the street to use any kind of security on the smartphone is a win, truth be told. Experience suggests that there are more people without even a basic PIN than there are those implementing that, or some other, authentication option to unlock their devices. “Why not just make passcodes on android devices mandatory?” Trump asks. “It seems to me that development time and effort could be better spent implementing existing Android security features better, rather than busting out facial recognition just because the Apple folk have facial recognition” he concludes.