Testing biometric applications: confidentiality and security with Eran Kinsbruner


Eran Kinsbruner is a Senior Director at Perfecto, an enterprise software company, and a mobile web expert with over 20 years of experience in application development and testing.

Kinsbruner works with large companies like Verizon, Lloyds Bank and Singapore Airlines to test and ensure their compliance with user biometrics.

Biometric update recently spoke with him about user privacy laws, what developers need to know about biometric authentication testing, and how apps should store biometric data to stay secure.

Mandate of mobile applications

“Biometrics, mobile devices and sensitive user data are becoming a priority for everyone,” says Kinsbruner Biometric update.

“It was always a priority, but recently it has become even more important […] If you look at Google and Apple, the major mobile providers, they’re already working hard, around policy reports, policy statements.

Kinsbruner then mentions Google’s recent choice to start forcing Android mobile app developers to specify which permissions and third-party libraries their app should access.

“And not just what things are used by apps, but also why the app requires such sensitive access,” Kinsbruner explains.

The move represents proof that privacy policies and end-user privacy are becoming increasingly important, according to the engineer, also due to recent events of end-users being attacked by third parties.

“I think what happened in Afghanistan may have been an extreme here, but it’s not a specific end-user incident. It’s not like someone is using a mobile app through biometrics and the app isn’t secure enough and things are slipping into the wrong hands.

According to Kinsbruner, once apps grant the third party permission to access the data on the device, it opens the door to several harmful scenarios, potentially severely affecting user privacy.

“Now the door is open to whatever you have on your phone, your contacts, your photos, your location history, whatever you have in your life, somehow becomes available to the third party if it doesn’t. is not properly secured. “

Changing the perception of privacy in mobile biometrics

However, Kinsbruner also believes that the big names in tech are increasingly aware of these issues and have started working to resolve them.

“Developers are being urged by Google to start reporting all app information in the new Google Play Console as part of the new Security section of Google Play.”

Additionally, the release of custom chips by Google and Apple also hints at this change.

“Google [just] launched their new Pixel 6 series using the new Tensor chipset, which not only aims to be a faster, high-performance sensor, but they claim that it is also biometrically more secure and secure.

Likewise, according to Kinsbruner, Apple also decided to improve user control over privacy and security when it started producing its own chipsets last year.

“They took it from Intel, Google took it from Snapdragon and Qualcomm […] So, this is proof that things are changing.

Changing the balance of compliance

With these changes, Kinsbruner believes the pressure to create biometrically secure apps is now on developers.

In other words, it is their responsibility to ensure that applications comply with technical compliance documents which include all biometric and performance requirements of device manufacturers.

“These are things over which a developer has no control […] It is a given reality for the developers of mobile applications, which they must face. And they start to explore new options, to overcome some of these [privacy] challenges.

For example, Kinsbruner mentions the rise of progressive web apps that may have a single codebase to maintain and run on multiple platforms.

By leveraging this technology, developers can exercise more control over the different platforms on which they deploy the application with a single policy,

“So think about Flutter, […] a framework that you can use to develop a single app and deploy it to your desktop, browsers, iOS device, and Android device. And yes, you can access these apps through biometrics and other different authentication methods, but again, this comes from a single source code.

And because they are mostly based on web technology, these apps are also easier to use because in most cases they don’t go through app stores.

“So I’m not saying that the whole market is going to evolve into a single codebase, but we are seeing different plans and workarounds of organizations trying to gain more control, within a single codebase. , through progressive web apps and Flutter apps. “

Perfecto’s biometric tests

Regardless of the type of technology, however, Kinsbruner notes that developers must adhere to strict, industry-specific requirements when creating biometric applications.

“If the app is for the healthcare industry, it must be EPA compliant, if it is to serve financial customers, it must be PCI DSS compliant. It all sort of has to go through [specific] safety standards.

For this reason, the code should be confirmed to be very secure, either through the process of static code analysis and dynamic code analysis, or by running compliance scans.

To perform these scans, Perfecto has partnered with NowSecure, a provider of penetration testing and security testing for mobile applications.

“They actually take an application and destroy it, whether it’s built with third-party libraries, open source components. […] and ensure that it does not violate or expose any sensitive information.

Even if apps don’t go through the App Store or Google Play, they still need to be both secure and secure, Kinsbruner says.

Businesses have invested significantly more over the past few years in what is known as ‘passing to the left’ security testing and compliance. This is a development approach that includes security considerations earlier in the cycle.

Increase testing of biometric systems

According to Kinsbruner, the increased awareness of companies about this change has prompted many to invest more in testing biometric applications.

“They have kind of a database and do a lot of data-driven testing on the biometrics front as part of their authentication phases. And I think that […] 15% of test automation today goes through the login screen. “

Speaking of Perfecto’s experience in application testing, Kinsbruner says the company serves a number of large companies, across different verticals, including airlines, financial and insurance companies, and telecom operators. .

“These customers are developing a lot of automated tests with the framework I mentioned, but they are using a lot of data delivery scenarios among the biometric possibilities, just to make sure that they are really not missing anything from a security perspective. security.”

And these growing investments are not only in security testing, but also, therefore, in the further development of biometric technologies, including facial recognition and fingerprints, as well as two-factor authentication (2FA) systems.

” I do not think so [Perfecto] even has a single client that does not support 2FA. This is all part of the authentication test suite that is performed in each version of the technologies.

The evolution of mobile biometrics

Kinsbruner also believes that mobile biometric technologies are evolving rapidly.

“We are already transformed into a digital reality, especially after COVID, so everything is digital today, everything is accessible through your mobile browser or the operating system of your mobile device if it is a native application. . “

The tech expert specifically mentions foldable smartphones and the implications the new form factor will have on biometrics.

“[For instance,] you have two different screens with three apps running in the foreground, so think of three apps trying to authenticate at the same time, in parallel.

So, while investments in this sector are already present, Kinsbruner also believes that companies should further step up their efforts.

“[They] actually need to be even more advanced, as technology gets smarter with 5G and other connected IoT (Internet of Things) devices that communicate with your smartphones.

The future of biometric applications

On that note, Kinsbruner believes the future of biometrics lies in IoT devices, with an ensuing shift in how biometrics in mobile is viewed and developed.

“Especially with the new wave of digital technology, infotainment, and Apple and Android cars, you see that cars are actually increasing what you have on your mobile phone and cars are not authenticating your app. […] by fingerprint or your face.

Instead, users unlock the device through a mobile app, which then gives access to the car’s system.

“So I think the future of biometric authentication, the future of authentication, privacy and security will change.”

Kinsbruner believes that while fingerprints and facial recognition are going to remain important, they will become smarter to be able to support all other cell phone extensions.

“Whether it’s smart cities that work with your device through 5G, whether it’s your car, whether it’s your home, or your Alexa and all the devices that work with your device.”

This will become necessary, Kinsbruner explains, because from a security perspective, it wouldn’t make sense to have the biometrics of a single smartphone as a gateway to all other devices that users might need in the future.

“You will need a much larger control point or system for the other extended devices, which means biometrics and other things will likely need to be extended or extended to support other types of communication. . “

Articles topics

biometric data | biometrics | data collection | data protection | digital identity | Eran Kinsbruner | mobile application | multi-factor authentication | Perfecto | confidentiality | standards | trial


Leave A Reply