How Tencent’s SOTER Secures Fingerprint Payments on Android

Background

Since the iPhone 5s introduced fingerprint authentication in 2013, “fingerprint payment” has become a common product requirement. Before Android 6.0, there was no standard fingerprint API, forcing developers to adapt each vendor’s proprietary solution, which was costly and often impractical.

System Interface

Android 6.0 introduced FingerprintManager , providing a simple, unified interface for fingerprint authentication on any device running Android 6.0 or later.

FingerprintManager mFingerprintManager = ...
mFingerprintManager.authenticate(null, mCancellationSignal, 0, new AuthenticationCallback(){...}, null);

Design Limitations

The interface only returns success/failure, which is insecure if the device is rooted because the result can be forged. Relying solely on this result would allow a compromised device to bypass payment verification.

SOTER Motivation

Google enhanced the security model by linking the KeyStore with the fingerprint API, allowing private keys to be stored in the Trusted Execution Environment (TEE). However, without a trusted root of trust, keys could be replaced during generation, and the authentication result does not identify which fingerprint was used.

SOTER Architecture

SOTER was created to provide a unified, secure, and easy‑to‑integrate biometric authentication platform. Its design principles include:

Never store sensitive data (private keys, raw fingerprints) on the backend.

Expose only public keys and device IDs to the server.

Low integration overhead: no heavyweight SDK required on the client or server.

Simple API that abstracts complex low‑level details.

The architecture relies on a three‑level key hierarchy:

Device root key generated on the production line and stored in the TEE.

Application key (ASK) generated per app lifecycle.

Business key (Auth Key) generated per business feature (e.g., fingerprint payment).

Device Root Key Generation

Manufacturers generate a unique RSA‑2048 key pair in the TEE during production. The private key remains in the device’s RPMB area, inaccessible to anyone, while the public key and device ID are uploaded to the manufacturer’s server, then forwarded to Tencent’s TAM service.

Application Key (ASK) Preparation

When the app launches or before using a business feature, it requests a device root key, generates an application key inside the TEE, signs the public key with the device private key, and sends the signed data to the backend for verification.

InitializeParam param = new InitializeParam.InitializeParamBuilder()
    .setScenes(0)
    .build();
SoterWrapperApi.init(context, callback, param);

Business Key (Auth Key) Preparation

During business activation (e.g., enabling fingerprint payment), the app generates a business key in the TEE, signs the public key with the application private key, and transmits the signed data to the backend, which can verify it locally without contacting TAM.

Authentication Flow

Client requests a challenge from the backend.

The challenge is signed inside the TEE using the business private key together with the fingerprint index.

User authorizes via fingerprint; the TEE returns the signed challenge.

Backend verifies the signature with the corresponding public key; a successful verification confirms a legitimate request.

Open‑Source Components

SOTER provides the following open‑source modules:

soter‑core : low‑level key operations and fingerprint calls (≈40 KB).

soter‑wrapper : high‑level process encapsulation and device‑specific adaptations (≈70 KB).

Demo app and comprehensive client/server documentation.

All code is available at https://github.com/Tencent/soter .

Integration Steps

1. Add the Gradle dependency: compile 'com.tencent.soter:soter-wrapper:1.3.8' 2. Declare the fingerprint permission in AndroidManifest.xml:

<uses-permission android:name="android.permission.USE_FINGERPRINT"/>

3. Initialize SOTER once (e.g., in Application.onCreate()) using the code snippet above.

4. Prepare the application and business keys with SoterWrapperApi.prepareAuthKey(...) and SoterWrapperApi.prepareAppKey(...).

5. Perform authentication via SoterWrapperApi.requestAuthorizeAndSign(...).

For high‑security scenarios such as fingerprint payment or login, refer to the provided demo code and security integration guide on the GitHub repository.