Fingerface Xposed Module enables the Pixel 4’s Face Unlock in any app
The Google Pixel 4 may not be the first Android smartphone with secure facial recognition hardware (it’s preceded by the OPPO Find X and Huawei Mate 20 Pro), but it is the first Android device with a face unlock implementation that’s recognized secure under Android’s BiometricPrompt API. That means the Pixel 4 is the first Android smartphone that lets you use your face to not only unlock the phone but also authenticate apps or payments. However, app developers have to update their apps to use BiometricPrompt, so it’s going to take some time for every banking and password manager app to support the new Face Unlock. Since the Pixel 4 doesn’t have a fingerprint scanner, apps that use the old API will simply fall back to asking you for manual password entry. Fortunately, there’s a way around that, provided you’re willing to root your Pixel 4 with Magisk and install the Xposed Framework.
XDA Junior Member SemonCat developed an Xposed Module called “Fingerface” that proxies the old fingerprint API to instead call the new BiometricPrompt API. That means that whenever an app using the old fingerprint API requests you to scan your fingerprint, the new BiometricPrompt dialog will appear to let you scan your face instead. It’s a simple, albeit crude, workaround, but it beats having to manually type your long passwords into all of your apps.
Here’s a quick screen recording from the developer that shows an app (in this case, Magisk Manager) asking for fingerprint authentication, but instead receiving facial authentication:
In my view, this is a great demonstration of the power of the Xposed Framework. Xposed lets Modules hook into the methods of other apps to execute their own methods before, during, or in place of the original methods. That’s exactly what this Module is doing; FingerFaces always returns “true” when PackageManager checks to see if the device supports fingerprint hardware, and it also hooks into the (now deprecated) FingerprintManager API used by apps to instead call BiometricPrompt in its authenticate method. It won’t be easy to translate this hack into a Magisk Module because it’ll involve per-device and per-build modules that replace the framework, but the developer says he’s working on it.
I should note that installing this mod on the Google Pixel 4 currently isn’t easy. First of all, there’s no TWRP support for the Pixel 4 just yet, so you’ll have to manually install Magisk. That means you have to download the factory image, extract the boot image, patch the boot image using the latest Magisk Manager, and then fastboot flash the patched boot image. To install Xposed, you’ll then have to install the Riru Core Magisk Module and then EdXposed, the unofficial successor to the Xposed Framework. Instructions on how to do that can be found here. Finally, you can then install the Fingerface module.
Some might scoff at this mod over security concerns, but the Module is open source and from a quick glance, it seems to only do what it’s supposed to do. Furthermore, the existence of this mod has no implication on the security of Android 10 or the Pixel 4 itself since it requires the user to manually gain root access after unlocking the bootloader. Lastly, this mod, like most other mods on our forum, is intended to be used by those who value convenience and more features despite the added risk of having an unlocked bootloader and root access.
If you’re interested in this mod, you can download it from the Google Play Store link embedded below. It costs $0.99 if you get it from the Play Store, but since the app is open source, you can also just compile it yourself. Visit the XDA forum thread if you have any questions or feedback about this app. For any app developers that read this, Google published a blog post on implementing the Biometric API through the AndroidX Biometric Library. Update your apps so users won’t have to use this dirty hack!
Update 1: TopJohnWu Fork
XDA Recognized Developer topjohnwu, the developer of Magisk himself, decided to fork this project to clean up the code.
OK, I think all features I wanted to do is done:
✓ Properly report biometric status
✓ 100% idiomatic Kotlin
✓ Add UI to configure whether BiometricPrompt require confirmation
✓ Clean up all unused code and resources
Download APK here: https://t.co/nGa5bXlOZy
— John Wu (@topjohnwu) November 1, 2019
Since the app was already open source and its code seemed innocuous, there wasn’t any harm in running it as is. However, if you want to try a version from a more reputable developer, then you can download it from topjohnwu’s GitHub.