3.3 Encryption Application

3.3.1 Fingerprint Unlock

Fingerprint Unlock is based on biometric identification technology, after the user turns on this function, they only need to place their fingers on the fingerprint sensor to quickly unlock their device without requiring the user to enter a long and complex numeric or graphical password each time. Moreover, to protect the security and privacy of users, the Fingerprint Unlock service is restricted in the following scenarios:

1. When the user’s device has just been turned on.

2. If the device has not been unlocked using a password for more than 72 hours.

3. If the fingerprint unlock function fails to unlock the user’s device five times in a row.

Xiaomi's fingerprint unlocks security framework extends Android's native fingerprint security architecture and uses it as a basis for expansion：

Storage Security: The fingerprint template is encrypted by the AES-256 encryption algorithm and then stored in a Secure File System (SFS) in the TEE environment. Encryption is achieved by invoking KeyStore. The fingerprint template is signed with the device's dedicated private key which makes the template unusable on other devices and unavailable to any other user registered on the same device. Encrypted fingerprint templates can only be accessed by the Fingerprint TA. Even if the smartphone is rooted, the attacker cannot read the fingerprint templates through the kernel or platform, thereby securing the user's fingerprint templates stored on the device.

Authentication Process Security: The entire fingerprint authentication process is performed in the TEE environment. During this process, applications that support fingerprint authentication can only initiate fingerprint authentication requests and receive authentication results through the Fingerprint TA in the TEE environment. These applications cannot directly access the fingerprint templates, realising the security of the fingerprint authentication process.

3.3.2 Screen Lock Password Protection

MIUI screen lock passwords support draw patterns, numeric passwords, and hybrid passwords, each of which has a minimum password length requirement to ensure a more secure password.

• Draw pattern password: at least 4 dots need to be connected.

• Numeric password: these passwords support lengths of between 4-16 digits.

• Hybrid password: these passwords support any combination of uppercase and lowercase letters, numbers, and symbols with lengths of between 4-16 characters.

MIUI screen lock passwords are protected by the hardware unique key (HUK) and encrypted in the TEE. When a user creates or modifies a lock screen password, or unlocks the screen using a screen lock password for verification, the screen lock password is processed in the TEE.

The MIUI limits the number of times an incorrect password can be entered. After attempting to use an incorrect password multiple times in a row, the phone will be locked to prevent the brute-forcing of the screen lock password.