With the iPhone X launched this year, Apple tried to push forward the biometric authentication by graduating from 2D face scans to a 3D one. It called it Face ID. Soon after, in fact, from the moment it was unveiled and demonstrated, questions about the feature’s reliability started to be raised. Researchers pointed out the ways Face ID could leave a user and their personal information vulnerable to hackers. And their concerns were followed by many experiments that proved these concerns valid.
Then, just last month, these concerns were heightened when a Reuters report revealed that according to the terms of a third-party app developer agreement with Apple, the data obtained by the TrueDepth camera “need not remain on a customer’s phone”. Instead, it can be transmitted to non-Apple servers — a revelation that has some privacy and security experts concerned.
However, as opposed to that, Apple promised that all data gathered by Face ID remains on the phone, and that “[when] using Face ID, the [third-party] app is notified only as to whether the authentication was successful; it can’t access Face ID or the data associated with the enrolled face.”
Meanwhile, this issue is now cropped up again, after a researcher created an app that shows you exactly how much facial data is Apple making available to developers. And is turns out, it is enough to allow them to craft a model for a 3D print of your entire face. PhoneArena (via Washington Post) reports him as saying, “There’s a wireframe representation of your face and a live read-out of 52 unique micro-movements in your eyelids, mouth and other features. Apps can store that data on their own computers.”
Further, an Apple spokesperson Tom Neumayr spoke on the issue saying, “We take privacy and security very seriously. This commitment is reflected in the strong protections we have built around Face ID data—protecting it with the Secure Enclave in iPhone X – as well as many other technical safeguards we have built into iOS. [Apple requires] that developers ask a user’s permission before accessing the camera, and that apps must explain how and where this data will be used.”
Meanwhile, Apple maintains that its enforcement tools – which include pre-publication reviews, audits of apps and the threat of kicking developers off its lucrative App Store – are effective. As per the documentation about the face unlock system that Apple released to security researchers, the data available to developers cannot unlock a phone; that process relies on a mathematical representation of the face rather than a visual map of it.