Faulty Fingerprint Code Can Expose Millions of Android Users

Audit of 65,000 apps finds 97% mishandle fingerprint APIs, risking billions of downloads

At the 2025 Network and Distributed System Security Symposium in San Diego, a team from Fudan University unveiled the first sweeping audit of Android fingerprint security. Their custom scanner sifted through 65,086 popular apps on Google Play and Huawei AppGallery and found that only 1,333 even offered a fingerprint option. Yet almost every one of those apps - about 97 percent - handled the feature incorrectly in at least one way, turning a supposed security upgrade into a hidden weak spot.

Four missteps that open the door

The researchers traced fingerprint use from setup to shutdown. They discovered that developers trip up in the same four places again and again. Many apps still cling to the old FingerprintManager code that Google replaced years ago. They do this even though its successor, BiometricPrompt, is far harder to spoof.

Android fingerprint code is putting users at risk.

Others skip crucial encryption checks that prove a scan is genuine. Some allow users to switch off fingerprint access without re-authenticating, or fail to re-verify identity after new fingerprints are added to the device. In practice, these oversights mean an attacker who steals or briefly borrows a phone may be able to unlock the fingerprint lock protecting chats, accounts, or payment wallets without ever knowing a password.

When popular apps slip, billions feel it

The bug-ridden apps aren’t obscure utilities with a few hundred downloads. They include household names that together account for roughly 217 billion installs. A subset of 251 titles suffers from all four implementation mistakes at once - evidence of an industry-wide biometric authentication gap. That smaller group alone has been downloaded more than 109 billion times. With numbers this large, even a rare exploit can affect millions of people.

Why developers keep getting it wrong

Part of the problem is old guidance that lingers on coding forums and how-to blogs. Engineers under deadline pressure often copy snippets that still call obsolete APIs, unaware there is a safer alternative. App-store review teams focus mainly on privacy disclosures and malware, so fingerprint misuse rarely blocks an update.

The result is a widespread Android security vulnerability hiding in plain sight. To spur change, the authors filed 184 vulnerability reports (CVE IDs). They saw several vendors start patching within weeks. But they warn that lasting progress will require automated “lint” checks in build pipelines and clearer instructions from Google.

What users can do in the meantime

While developers work on fixes, everyday users aren’t powerless. Enabling two-factor authentication inside sensitive apps, pairing fingerprint unlock with a strong PIN, and installing updates that mention “biometric” or “authentication” improvements all raise the bar for attackers.

If an app lets you turn off fingerprint protection without asking for a password or scan, consider that a red flag and keep the feature on. It also pays to review which apps actually need fingerprint access. That way, you can require a fresh biometric check before approving in-app purchases or money transfers.

Finally, turn on “Find My Device” or similar remote-wipe tools. That way, if your phone ever goes missing, you can erase data before someone attempts a fingerprint hack that exploits these flaws.

A wakeup call for the industry

The study’s core message is simple: hardware sensors may read fingerprints accurately, but software determines whether that reading is trustworthy. Until more developers embrace modern APIs, tie encryption keys to successful scans, and re-check identity after any change, fingerprint convenience will continue to mask real risk. Achieving true peace of mind will require stronger, industry-wide commitments to biometric security. Users should still treat biometrics as one layer, not the only layer, of defense.

Android users can learn more about the latest news on their phone's security with these articles on phone number hacking and how a new AI technology can save you from phishing texts.

Written and Edited by Lizzy Schinkel & WhatIsMyIP.com® Editorial Contributors

Lizzy is a tech writer for WhatIsMyIP.com®, where she simplifies complex tech topics for readers of all levels. A Grove City College graduate with a bachelor’s degree in English, she’s been crafting clear and engaging content since 2020. When she’s not writing about IP addresses and online privacy, you’ll likely find her with a good book or exploring the latest tech trends.