Abstract
Mobile apps are embracing facial recognition technology to streamline the identity verification procedure for security-critical activities such as opening online bank accounts. To ensure the security of the system, liveness detection plays a vital role as an anti-spoofing component, verifying that a selfie provided is from a live individual. Emerging facial recognition companies offer convenient integration services through mobile libraries that are widely utilized by numerous apps in the market. By analyzing 18 mobile facial recognition libraries, we reveal the protocol design and implementation intricacies of various systems. The investigation leads to the discovery of several system security issues in over half of the libraries, predominantly linked to the liveness detection module. These vulnerabilities can be exploited for low-cost identity forgery attacks without relying on media synthesizing technologies like deepfake. We scan 18,096 apps from an app market and identify 802 apps incorporating recognized facial recognition libraries, with over 100 million total downloads. More than half of the libraries examined exhibit weak security, with about 40% downstream mobile apps being affected. This study emphasizes the importance of system security in mobile facial recognition services, as the practical impact can be on par with or even surpass the extensively studied machine learning attacks.
Download Artifacts
Please fill in the form below*
Demo Video of Identity Spoofing Attack
Figures / Illustrations
