Most security researchers are stumbling to find a way to definitively prove, or disprove, the security and reliability of the iPhone X’s Face ID feature. Almost all of those, however, require a second face to bypass your legit one. It turns out that users might have something to fear even without a doppelganger. It is no secret that Apple allows third-party apps to access some Face ID data, but how much and how easy they’re getting that data could quickly become a privacy nightmare.
Face ID is inherently secure in the sense that nothing leaves your phone. Or at least shouldn’t. Like the fingerprint-based Touch ID, everything is stored on the device and is encrypted so that no one, not even Apple or the government, can have access to it without the user’s knowledge or consent. But in order to make use of features beyond unlocking the phone, like animojis, for example, Apple needed to give app developers access to some of that face data. Some security analysts think Apple may have jumped the gun on that one.
Third-party apps have access to a wireframe image of your face as well as a live readout of movements of eyes, mouths, etc. In theory, that’s more than enough for apps to read your expressions, guess your gender and race, and other statistical information that may be of interest to developers or third-parties. The problem, according to researchers and developers, is that Apple isn’t doing enough to limit the scope of what developers are allowed to do.
SOURCE: The Washington Post