Thank you for bringing this to our attention. While we do not believe that this means that customers using fingerprint access with mSecure 5 on Android have had their information compromised, specially since most customers using fingerprint to unlock mSecure 5 also use their fingerprint to unlock their device, we do understand how this is less than ideal. We will be addressing this issue in our next update and make sure to require a customer's mSecure account password after the fingerprint settings for a device have changed.
Unless I'm mistaken there is NO such thing as fingerprint-only access to an Android device. You ALWAYS have to have a backup PIN code and that backup PIN code whether you use it or not. I'd agree with you that the majority of the time someone would be using their fingerprint to unlock the phone, but I was thinking of any of the following scenarios:
Can you confirm that this does not apply to Apple products? It appears that mSecure5 does force the use of a password if any touch ID change is made on an iPhone.
Yes, any changes to Touch ID on iOS will result in having to enter your mSecure account password in order to unlock the app. You'll have to set up Touch ID in our settings afterwards.
Like most people I consider my MSecure database to merit a higher level of security than my phone. While my phone is always locked, the MSecure database is a vault within a vault.
Because a phone PIN or pattern can be observed in many situations (and these days you're highly likely to have entered it at least once while you're in range of a CCTV) my MSecure database requires something more.
I do have Fingerprint ID as an option for logging into my MSecure database. Many apps (Bank of America, 1Password) that allow fingerprint ID have a special feature wherein when there's any new fingerprint added, fingerprints will no longer unlock the database UNTIL the master password is entered and fingerprints are re-enabled. Today I learned that MSecure does not have that same restriction.
As a result, someone who observed my PIN (or to whom I voluntarily gave my PIN) no longer only has access to my phone. They can now go into the Fingerprint ID settings, add one of their own fingerprints, and immediately log into my MSecure database.
This means that if you use Fingerprint ID on your MSecure database, then whatever locks your phone is all someone needs to gain full access to your MSecure database. Until this is fixed anyone whose PIN is known to others and who uses FingerprintID for their MSecure database should consider their MSecure database as being shared as well.
I captured the screens from B of A and 1Password here: https://i.imgur.com/Ytuq0yT.png showing how their fingerprint login works after any changes to the enrolled fingerprints.
I am using MSecure for Android version 184.108.40.2062