Here Is Your Fingerprint! Actual Risk versus User Perception of Latent Fingerprints and Smudges Remaining on Smartphones

A small touch sensor employed in smartphones can only capture a partial limited portion of the full fingerprint, and so it is more vulnerable to fingerprint spoofing attacks that leverage a user's firm impression. However, it is still unknown whether daily smudges remaining on the smartphone surface can be exploited to circumvent the small touch sensor. In this paper, we first study how to exploit the fingerprint smudges left on the smartphone surface in daily use, and present the so-called fingerprint SCRAP attack, which uses smudges remaining on the home button and touch screen to reconstruct an image of the enrolled fingerprint in good quality. We conduct an experimental study to show the actual risk regarding this attack. We collect 403 latent fingerprints from the smudges left on the touch screens (361) and home buttons (42) by seven users in six conditions (tapping, passcode-typing, text-typing, facebook, in-pocket, wiping). Using them, we perform our attack and evaluate the results in comparison with the firmly impressed fingerprints. The study results indicate that our attack is actual risk to the small touch sensors. We then investigate the user's touch behavior and perception gap. We conduct in-person surveys involving 82 participants, and ask about their touch behaviors and also their risk perception regarding the latent fingerprints. The survey results show that the fingers most frequently used on a touch screen and a home button are the same, and the user's risk perception is very low. We finally discuss mitigation methods and future directions.