Mishaal Rahman: Why the Fairphone 3 Android 13 update downgraded fingerprint sensor functionality

Relevant to me as I own an FP3, but still running Android 10 for this very reason.

Software updates can sometimes take away functionality, which can be frustrating & discourage users from updating.

The Fairphone 3's Android 13 update, for example, took away the ability to use the fingerprint scanner for logging into many banking/password manager apps.

Why? Well, Fairphone had no choice. Google's compatibility requirements for Android 13 forced their hand.

Biometric authentication methods are classified into three tiers: Class 3, Class 2, or Class 1. While all 3 can be used to unlock the device, only Class 3 and Class 2 biometrics can integrate with BiometricPrompt (ie. authenticate within apps). That's why the Pixel 7's face unlock feature doesn't support verifying you within apps, as it's a Class 1 biometric. The Pixel 7's fingerprint scanner, however, is a Class 3 biometric, so it can.

Even though both Class 3 and Class 2 biometrics can be used for BiometricPrompt, though, apps ultimately decide whether they want to accept Class 2 or even Class 3 biometrics, using the setAllowedAuthenticators(...) method. Many apps with higher security requirements, like banking apps or password managers, accept Class 3 but not Class 2 biometrics. I think you see where I'm going with this.

With its Android 13 update, the Fairphone 3's fingerprint scanner was downgraded from Class 3 to Class 2. The reason is because Android 13 strengthened the requirements needed for a biometric to be classified as Class 3, and the Fairphone 3's fingerprint scanner could no longer meet this requirement. To be clear, the Fairphone 3 was released in late 2019, so it's using older fingerprint hardware than most other devices running Android 13.

Highlighted in green below is the new requirement that biometrics have to meet to be classified as Class 3. This comes from the Android Compatibility Definition Document (CDD) for Android 13, which enumerates the requirements that devices have to meet in order to be certified as compatible with Android (and is a stepping stone to getting a GMS [Google Mobile Services] license).

Since the Fairphone 3's Android 13 build includes GMS, it has to abide by the CDD, so they had no choice but to downgrade the sensor to Class 2. Fairphone's initial rollout of the Android 13 update didn't mention this change, but they've since amended their update notification and release notes to warn users about this regression.

The Fairphone 4 isn't affected by this as it uses newer, more secure fingerprint hardware. Plus, the Fairphone 3's fingerprint scanner can still be used in a variety of apps. A post on the Fairphone forums maintains a list of which apps are affected. I've also seen Fairphone employees reach out to devs of affected apps to get them to update their UX so the change is less confusing to users, to their credit.

Final note: custom ROMs for the Fairphone 3 are largely unaffected by this change. That's because they can simply revert the change that downgrades the biometrics security classification from Class 3 to Class 2. Custom ROMs can get away with this because they don't care about passing Android certification requirements. This is a common practice when doing a bring-up of newer Android versions on older devices with outdated fingerprint hardware.

Fairphone should have added a system level override that users could have opted in to and make the sensor lie about its class. Or even outright make it lie period. It wouldn't mean a downgrade in security as it just keeps the previous behaviour which apparently was accepted.