Mobile Game Godot Course - Data Security using USB-Debugging Mode on Android

HI All,

I have recent reached Section 34: Export for Android on the “Master Mobile Game Development with Godot 4” Course. Whilst the mobile was plugged into the PC with USB debug mode allowed, the screen had locked itself and I preceded to unlock via a fingerprint. I did not think too much of this until the next course section, which show the large amount of data being printed out of the phone onto the PC console. I realised I did not know what information was being written and what information could be read whilst connected to PC + USB debug mode. I understand that information like Pin and Fingerprint is storage securely on the phone, however I had actively unlocked the phone multiple times up to that point and do not know what information that action would expose.

I am looking to understand if the unlock data is not readable when connected to PC + in USB Debug and if I have not inadvertently exposed either my pin or figure print data. Any sources to help this would be great as well.

I did try to look this up via Android’s security documentation but could not find a specific answer or lacked the knowledge to understand the technical answer.

Any help with this would be greatly appreciate. I have learnt a lot from the course already and want to continue without concerns that I am exposing such critical/ sensitive data.

Thank you,

WT

WaterproofTowel. That’s a cool name, I like it =)

I think it’s a healthy thing to be concerned about security, and I also think you don’t need to worry about the specific situation you bring up in this question. I did some digging and found something that I believe will cover everything you’re looking for:

TLDR: for Android phones (and these are manufacturer requirements strictly imposed by Google), biometric procedures are processed on isolated hardware within the phone, and biometrics data is stored only within that isolated hardware. The phone’s CPU has only indirect access to this at a physical level, so it cannot output that data, even if the phone’s operating system is compromised with a rootkit or some other nastiness. It’s always been a mantra of mine as well actually - in an electronic world, physical security is hard to beat! I was pleasantly surprised to see that it works this way.

If you are uneasy at all, I would suggest using only biometrics to unlock your phone during USB Debugging, as opposed to using your PIN (even that should be ok, but in a worst-case scenario, the biometrics stuff is clearly safer).

Have fun with the course!

Hello BH67,

Thank you for the quick reply. I am glad you like the username

The article and your TLDR really helped me understand the process behind the TEE Hardware and how fingerprint unlocking works. It is good to know the input of junk encrypted data would only output “Yes” or “No”, and even that data is not allowed to be shared.

I had another look for information on the PIN example, but most search results are just telling me “How to set up my pin”. The closest info I got is that Android may store the PIN in a hashed state in a secure location (which is sourced via some StackExchange and Quroa Questions, so nowhere closed to conclusive).

I am still a bit cautions after the above but learnt a lot in the process. You reply was much appreciated,

WT

Cheers, glad I could ease some concerns =)

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.