Is it doable to collect user fingerprint with android?

Question

Is it doable to collect user fingerprint with android? Our backend system has a fingerprint database. We'd like to match the fingerprints collected against database to see if there is a match.

Answer 1

If by "collect user fingerprint" you mean getting an image of the fingerprint in some form, then no, you can't.

Android's fingerprint API essentially works like this:

1. The user enrolls a fingerprint in the Android Settings app.

2. Your app creates a cryptographic key that it associates with the user, and a CryptoObject based on that key, and starts a fingerprint authentication.

3. If the fingerprint read by the sensor matches any of the enrolled fingerprints, the authentication is successful and the CryptoObject can be used to perform a cryptographic operation (such as encrypting/decrypting some data).

At no point is the actual fingerprint available to your app, to any other app, or even to the OS.

From Google's fingerprint implementation guidelines to manufacturers:

Raw fingerprint data or derivatives (e.g. templates) must never be accessible from outside the sensor driver or Trusted Execution Environment (TEE).

Answer 2

actually my question is about the possibility to collect multiple users' fingerprints. i have a database which stores all users' fingerprints. now i would like to have an app. user can use his fingerprint to log into my app. is it possible?

Regarding using build-in fingerprint scanner on Android device, I don't think any kind of "collecting" data connected with previously scanned fingerprints is possible. Environment which Android system is using to store and match scanned fingerprints is pretty well sealed (it's called TEE - Trusted Execution Environment) and, according to Android Central article (https://www.androidcentral.com/how-does-android-save-your-fingerprints) there are some basic rules that every company making Android phones with a fingerprint sensor have to follow, among them:

• Fingerprint data of any kind must not be backed up to any other source, including the cloud or your computer or any application
• Fingerprint authentication must be used by the process that requested it (no sharing of any fingerprint data, even just the yes or no answer to see if it was correct)

So, you can have app, which will have the fingerprint authentication feature, but it will be just "authenticated" or "not authenticated" response, based on fingerprints already enrolled on this device in Settings, without possibility to connect each user with each fingerprint.