Facial Authentication Security Evaluation Against Deepfake Attacks in Mobile Apps

Facial Authentication Security Evaluation Against Deepfake Attacks in Mobile Apps

연구 분야: Infrastructure

학회: Australasian Conference on Information Security and Privacy

Real-Person Authentication Systems (RPAuS) are used for secure remote access to financial transactions, online services, and private information. The rise of Deepfake technology poses a significant threat to RPAuS, as it can impersonate registered users to perform authentication. However, the resilience of RPAuS against advanced Deepfake attacks remains underexplored. Previous studies have explored Deepfake attacks on RPAuS, but they typically involve intrusive modifications, emulator-based testing, and pre-generated Deepfake videos. These methods are not universally applicable, as RPAuS often fails to run on emulators, especially in security-sensitive areas, and do not ensure Deepfake videos align with the app’s random liveness actions. To address these challenges, we propose a novel framework for universally evaluating RPAuS security against Deepfake attacks across various apps. It customizes the Android camera system and modifies the workflow of image transmission, allowing network communication to transmit camera-captured images to a local server that enables synchronized manipulation. Our framework generates forgery authentication videos that comply with the app’s random liveness instructions. Additionally, It bypasses app risk detection mechanisms and is optimized for real-time performance. We deployed this framework on real devices and tested 19 popular apps. Results show that our framework effectively evaluates RPAuS security in all tested apps, while over half of these apps fail to launch or activate RPAuS on emulators. Notably, over 70% of the tested apps exhibited vulnerabilities to Deepfake attacks, underscoring the urgent need for enhanced security measures.