While the best Android smartphones supported fingerprint scanners long before the Apple iPhone did, Android devices are playing catch up when it comes to secure biometric facial authentication hardware. The Apple iPhone X is the first smartphone from a major device maker to combine a Time of Flight (TOF) sensor, IR illuminator, dot projector, and other sensors for hardware facial recognition (Apple calls it ‘Face ID’). We’ve seen a few smartphones with Face ID-like implementations from Android device makers like Huawei’s Mate 20 Pro and Xiaomi’s Mi 8 Explorer Edition, but these device makers have had to heavily customize Android to support this new hardware. However, it seems that Google is working on bringing native support for secure facial recognition hardware in Android Q.

We’ve spotted dozens of strings and multiple methods, classes, and fields related to facial recognition in the framework, SystemUI, and Settings APKs in the leaked AOSP build of Android Q that we obtained. None of the code that we found is present in AOSP master or the latest Android Pie public release. Furthermore, the existing “face unlock” feature that has existed on Android devices for many years now, the “Trusted Face” feature, is part of Google Play Services, is old, and is insecure, so we’re confident that this is a new feature in Android Q.

Special thanks to PNF Software for providing us a license to use JEB Decompiler. JEB Decompiler is a professional-grade reverse engineering tool for Android applications.

Framework-res

From the face unlock-related strings we found in Android Q’s framework-res APK, the most important lines are about the error message that is shown when the device doesn’t have facial recognition hardware. This tells us that Android Q does expect the device to have hardware facial recognition sensors, unlike the face unlock features found on most modern smartphones from companies like Xiaomi, Huawei/Honor, and OnePlus.

Android Q Framework-res APK Code

Settings

Just like when you set up a new fingerprint, the new face authentication setup flow requires the user to set a password, PIN, or pattern as a backup. The user also has the option to require that the password, PIN, or pattern be used before the device’s data is decrypted on startup. The following string is the most important one we found because it explicitly states that your face can be used to not only unlock your phone but to also authorize purchases or sign in to apps.

        <string name="security_settings_face_enroll_introduction_message">Use your face to unlock your phone, authorize purchases, or sign in to apps.</string>
    

Face unlock can still be disabled by the device administrator, however.

Android Q Face ID Settings Code

Here's what it looks like

Here are screenshots showing off the set-up process for facial recognition in Android Pie. Unfortunately, we couldn't get it to actually work since the face unlock HAL is missing.

What does this mean for Android?

If you’re thinking these strings are proof that the Google Pixel 4 will have Face ID, then let me stop you right there. The only thing these strings prove is that AOSP is now supporting facial recognition hardware for face unlock, payments, and app authentication. We expect devices like the Huawei Mate 20 Pro and Xiaomi Mi 8 Explorer Edition running an Android Q GSI to have working facial recognition. Other devices that have the necessary hardware sensors should be able to use them for facial recognition in Android Q, too.

I don’t blame you for speculating about Google’s future hardware plans, though. The fact that Google is supporting facial recognition hardware in Android Q naturally means they have a device they’re testing it on. It could be a Mate 20 Pro, Mi 8 EE, an unreleased smartphone like the Samsung Galaxy S10+, a custom development board, or a prototype Pixel 4. Without the commits, we don’t know what they’re testing this on. We'll likely find out more during Google I/O 2019 which is scheduled for May 7th, 2019.


This article was updated on February 8th, 2019, with screenshots of the set-up flow for secure facial recognition in Android Pie.