Recently, on Redditor demonstrated how he turned his smartphone’s optical fingerprint sensor into a camera using a third-party application. Although the imaging quality was pretty horrid since optical fingerprint sensors are not designed to focus beyond the glass on which your fingertip rests, it did raise some major security concerns.
The user accessed live image feed using the optical sensor by installing an app called Activity Launcher that gives access to hidden activities within devices, such as access to calibration menus, factory tests, and other demos.
This discovery was demonstrated by XDA-Developers editor-in-chief Mishaal Rahman on Twitter and who also pointed out how OEMs should be vigilant enough to not leave bugs like this.
A Redditor found a hidden activity on a Xiaomi phone that lets you see the raw feed from Goodix's optical under-display fingerprint scanner.https://t.co/RKpjDTdgzG
OEMs really shouldn't be leaving these debug apps in production builds… pic.twitter.com/fnEpvPZtol
— Mishaal Rahman (@MishaalRahman) August 10, 2020
What is most worrying is that if an end-user can access the live feed using an optical sensor by merely installing a third-party application, a malicious actor can potentially do significant damage utilizing the gateway. The Reddit user also mentioned that the application did not come preinstalled on the device. Nevertheless, a third-party application accessing hidden activities so easily points at concerning security flaws that need to be addressed.
Moreover, it’s best you don’t try to gain access to your smartphone’s hidden activities if you are an inexperienced user. After the post was uploaded on Reddit, a couple of users tried to activate hidden activities but ended up damaging their smartphones. A Poco F2 Pro user’s in-display fingerprint sensor “stopped working” after accessing calibration menus.