# Face Unlock Vulnerability on Android: Why Photos Fool Smartphones
Over 60% of tested Android smartphones are vulnerable to face spoofing using a simple photo. Research by Which? labs, covering 208 devices, showed that most budget and mid-range models use 2D recognition systems unable to distinguish a live person from a printed image. This poses serious risks to user privacy and data security.
Why 2D Face Recognition Is So Vulnerable
Face unlock systems on most Android devices rely on the standard front-facing camera without additional depth sensors. This approach produces a flat image lacking three-dimensional structure. As a result, the algorithm can't determine whether the object in front of the camera is a real face or a 2D copy—whether it's a printed photo, an image on another device's screen, or even a video.
In contrast, solutions like Apple Face ID or 3D scanners in premium Honor and Samsung models use infrared projectors and depth sensors. They create a precise map of the face's surface made up of thousands of points, making spoofing extremely difficult without specialized equipment.
Threat Trends: From Peak to Partial Improvement
The peak vulnerability occurred in 2024: 72% of tested devices fell to photo-based attacks. Compared to 2023, this was a 35% increase. However, in 2025, there's a positive trend—the share of vulnerable smartphones dropped to 63%, 13% better than the previous year.
Some manufacturers have started taking steps toward greater transparency. For example, Xiaomi added risk warnings on 26 of its models, while Samsung did so on nine devices over the last three years. Nevertheless, other brands, including Motorola and OnePlus, released dozens of models without adequate warnings.
Manufacturers and Their Stances on Security
Manufacturers consistently emphasize that 2D face unlock is intended solely for convenience, not for protecting sensitive operations. Here's how key players put it:
- Fairphone: states that it uses biometric class 1 ("convenience"), which Android automatically blocks in financial apps.
- Honor: acknowledges the technical limitations of 2D systems and recommends flagship Pro models with 3D mapping for high-security tasks.
- Motorola: advises using a PIN, password, or pattern lock instead of Face Unlock.
- OnePlus: refers to the mandatory "Face Recognition Usage Statement," which explicitly states that the method is less reliable than fingerprint or digital password.
Models at Risk
The research identified specific devices that failed tests for resistance to identity spoofing. Among them:
- Fairphone 6;
- Honor Magic6 Lite 5G;
- Motorola lineup: Moto G75 5G, Edge 60 Pro, Edge 60 fusion, Moto G56 5G, G86, Edge 40 Neo, Moto g35, Moto g55, Razr 50 Ultra, Edge 50 Ultra, Edge 50 Pro, Moto G73;
- Nothing Phone (2a) Plus, (3a), (3a) Pro, (3), (2a);
- OnePlus 13R, 13, Nord 5, Nord CE5, 15, Nord 3 5G;
- Oppo Reno 13 F, Reno 13 Pro, Find X9 Pro, Find X9, Reno 11 F 5G.
Interestingly, even newer market entrants like Nothing failed to provide adequate protection or user warnings on all tested devices.
What Users Should Do: Practical Protection Steps
If your smartphone uses 2D Face Unlock, take these additional steps:
- Disable face unlock and switch to fingerprint or PIN.
- Set a PIN on your SIM card to prevent its use in another device.
- Enable "App Lock" for critical services—messengers, email, gallery.
These steps significantly reduce the risk of unauthorized access even if someone physically gets hold of your device.
Key Takeaways
- Most mid-range and budget Android smartphones use 2D face recognition, which can easily be fooled by a photo.
- Only 3D systems with depth mapping provide real protection against identity spoofing.
- Manufacturers view Face Unlock as a convenience feature, not a security one, and often exclude it from financial scenarios.
- Google Pixel 8–10 are an exception: despite the 2D approach, they use advanced ML models to meet banking standards.
- User awareness and alternative authentication methods are key to protecting your data.
— Editorial Team
No comments yet.