CVE-2016-3917 in Android
Summary
by MITRE
The fingerprint login feature in Android 6.0.1 before 2016-10-01 and 7.0 before 2016-10-01 does not track the user account during the authentication process, which allows physically proximate attackers to authenticate as an arbitrary user by leveraging lockscreen access, aka internal bug 30744668.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 09/13/2025
The vulnerability identified as CVE-2016-3917 represents a critical flaw in Android's fingerprint authentication system that existed in versions 6.0.1 and 7.0 prior to specific security patches released in October 2016. This weakness fundamentally undermined the security model of biometric authentication by failing to properly associate fingerprint data with specific user accounts during the authentication process. The flaw specifically affected the lockscreen authentication mechanism where users could be impersonated by attackers who gained physical proximity to the device and had access to the lockscreen interface.
The technical root cause of this vulnerability stems from a design oversight in how Android's fingerprint subsystem managed user context during authentication. When a user placed their finger on the fingerprint sensor, the system failed to properly validate that the authentication attempt was associated with the correct user account. This lack of account tracking meant that any valid fingerprint could be used to authenticate any user account on the device, effectively bypassing the intended security boundaries between different user profiles. The vulnerability operates at the operating system level and impacts the core authentication framework that handles biometric inputs.
From an operational perspective, this vulnerability creates a severe risk for users who share devices or have multiple user profiles configured on their Android devices. Attackers with physical access to a locked device could simply present any registered fingerprint to gain access to any user account on the device, regardless of whether that fingerprint belonged to the legitimate user of that account. This issue particularly affects enterprise environments where multiple users might share devices or personal devices where family members or colleagues have access to the same device. The attack vector requires only physical proximity and access to the lockscreen, making it particularly dangerous in public or shared environments where unauthorized individuals might gain access to a device.
The security implications extend beyond simple unauthorized access to include potential data compromise and privacy violations. An attacker could access sensitive information, financial data, messaging applications, and other personal content that would normally be protected by proper user authentication. This vulnerability directly violates the principle of least privilege and undermines the trust model that users place in biometric authentication systems. The flaw also has implications for compliance with various security standards and regulations that require proper user authentication and account separation.
Mitigation strategies for this vulnerability required immediate patching of affected Android versions through security updates released by Google and device manufacturers. Users were advised to install the October 2016 security patches that properly implemented account tracking during fingerprint authentication processes. Device manufacturers needed to ensure timely delivery of these updates to affected devices, as the vulnerability was present across multiple Android versions and device models. Organizations implementing mobile device management policies needed to verify that their devices were properly updated and monitor for any unauthorized access attempts that might indicate exploitation of this vulnerability.
This vulnerability aligns with CWE-284, which describes improper access control, and demonstrates how inadequate authentication mechanisms can lead to privilege escalation. From an ATT&CK framework perspective, this represents a technique for privilege escalation and credential access through physical access to a device, falling under the category of "Physical Access" and "Credential Access" tactics. The vulnerability highlights the importance of proper context management in authentication systems and the critical need for multi-factor authentication approaches that do not rely solely on single biometric factors for account access control.