Here is your fingerprint! actual risk versus user perception of latent fingerprints and smudges remaining on smartphones

A small touch sensor employed in smartphones can only capture a partial limited portion of the full .ngerprint, and so it is more vulnerable to fingerprint spoofing attacks that leverage a user's firm impression. However, it is still unknown whether daily smudges remaining on the smartphone surface can be exploited to circumvent the small touch sensor. In this paper, we first study how to exploit the .ngerprint smudges le. on the smartphone surface in daily use, and present the so-called .ngerprint SCRAP attack, which uses smudges remaining on the home bu.on and touch screen to reconstruct an image of the enrolled .ngerprint in good quality.We conduct an experimental study to show the actual risk regarding this attack. We collect 403 latent fingerprints from the smudges le. on the touch screens (361) and home bu.ons (42) by seven users in six conditions (tapping, passcode-Typing, text-Typing, facebook, in-pocket, wiping). Using them, we perform our attack and evaluate the results in comparison with the firmly impressed fingerprints. .e study results indicate that our attack is actual risk to the small touch sensors. We then investigate the user's touch behavior and perception gap. We conduct in-person surveys involving 82 participants, and ask about their touch behaviors and also their risk perception regarding the latent fingerprints. The survey results show that the fingers most frequently used on a touch screen and a home buffon are the same, and the user's risk perception is very low. We finally discuss mitigation methods and future directions.