An empirical study of SMS one-time password authentication in Android apps

A great quantity of user passwords nowadays has been leaked through security breaches of user accounts. To enhance the security of the Password Authentication Protocol (PAP) in such circumstance, Android app developers often implement a complementary One-Time Password (OTP) authentication by utilizing the short message service (SMS). Unfortunately, SMS is not specially designed as a secure service and thus an SMS One-Time Password is vulnerable to many attacks. To check whether a wide variety of currently used SMS OTP authentication protocols in Android apps are properly implemented, this paper presents an empirical study against them. We first derive a set of rules from RFC documents as the guide to implement secure SMS OTP authentication protocol. Then we implement an automated analysis system, AUTH-EYE, to check whether a real-world OTP authentication scheme violates any of these rules. Without accessing server source code, AUTH-EYE executes Android apps to trigger the OTP-relevant functionalities and then analyzes the OTP implementations including those proprietary ones. By only analyzing SMS responses, AUTH-EYE is able to assess the conformance of those implementations to our recommended rules and identify the potentially insecure apps. In our empirical study, AUTH-EYE analyzed 3,303 popular Android apps and found that 544 of them adopt SMS OTP authentication. The further analysis of AUTH-EYE demonstrated a far-from-optimistic status: the implementations of 536 (98.5%) out of the 544 apps violate at least one of our defined rules. The results indicate that Android app developers should seriously consider our discussed security rules and violations so as to implement SMS OTP properly.

[1]  Christopher Krügel,et al.  Exploitation and Mitigation of Authentication Schemes Based on Device-Public Information , 2017, ACSAC.

[2]  Dan Boneh,et al.  Stronger Password Authentication Using Browser Extensions , 2005, USENIX Security Symposium.

[3]  Diarmid Marshall,et al.  User perceptions of security and usability of single-factor and two-factor authentication in automated telephone banking , 2011, Comput. Secur..

[4]  Zhiqiang Lin,et al.  SMARTGEN: Exposing Server URLs of Mobile Apps With Selective Symbolic Execution , 2017, WWW.

[5]  Huy Kang Kim,et al.  Case study of the vulnerability of OTP implemented in internet banking systems of South Korea , 2014, Multimedia Tools and Applications.

[6]  David M'Raïhi,et al.  HOTP: An HMAC-Based One-Time Password Algorithm , 2005, RFC.

[7]  Ahmad-Reza Sadeghi,et al.  On the (In)Security of Mobile Two-Factor Authentication , 2014, Financial Cryptography.

[8]  H. Andrews,et al.  Hadamard transform image coding , 1969 .

[9]  Leslie Lamport,et al.  Password authentication with insecure communication , 1981, CACM.

[10]  Jongpil Jeong,et al.  Integrated OTP-Based User Authentication Scheme Using Smart Cards in Home Networks , 2008, Proceedings of the 41st Annual Hawaii International Conference on System Sciences (HICSS 2008).

[11]  Richard Lippmann,et al.  Practical Attack Graph Generation for Network Defense , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[12]  Donald E. Eastlake,et al.  Randomness Requirements for Security , 2005, RFC.

[13]  Dimitriadis Evangelos,et al.  The Quest to Replace Passwords : a Framework for Comparative Evaluation of Web Authentication Schemes , 2016 .

[14]  Ting Chen,et al.  Resetting Your Password Is Vulnerable: A Security Study of Common SMS-Based Authentication in IoT Device , 2018, Wirel. Commun. Mob. Comput..

[15]  Angélica Caro,et al.  Authentication schemes and methods: A systematic literature review , 2018, Inf. Softw. Technol..

[16]  Paul Ashley,et al.  Wired versus wireless security: the Internet, WAP and iMode for E-commerce , 2001, Seventeenth Annual Computer Security Applications Conference.

[17]  Qinghua Zheng,et al.  Android Malware Familial Classification and Representative Sample Selection via Frequent Subgraph Analysis , 2018, IEEE Transactions on Information Forensics and Security.

[18]  Robert H. Deng,et al.  Active Semi-supervised Approach for Checking App Behavior against Its Description , 2015, 2015 IEEE 39th Annual Computer Software and Applications Conference.

[19]  William Emmanuel S. Yu,et al.  Time-based OTP authentication via secure tunnel (TOAST): A mobile TOTP scheme using TLS seed exchange and encrypted offline keystore , 2014, 2014 4th IEEE International Conference on Information Science and Technology.

[20]  Ahmad-Reza Sadeghi,et al.  Flexible and Fine-grained Mandatory Access Control on Android for Diverse Security and Privacy Policies , 2013, USENIX Security Symposium.

[21]  Varsha Nagpurkar,et al.  Securing SMS Based One Time Password Technique from Man in the Middle Attack , 2014, ArXiv.

[22]  Hui Liu,et al.  Vulnerability Assessment of OAuth Implementations in Android Applications , 2015, ACSAC 2015.

[23]  Muhammad Khurram Khan,et al.  OTP-Based Two-Factor Authentication Using Mobile Phones , 2011, 2011 Eighth International Conference on Information Technology: New Generations.

[24]  David M'Raïhi,et al.  TOTP: Time-Based One-Time Password Algorithm , 2011 .

[25]  Yuewu Wang,et al.  TrustOTP: Transforming Smartphones into Secure One-Time Password Tokens , 2015, CCS.

[26]  Kui Ren,et al.  Addressing Smartphone-Based Multi-factor Authentication via Hardware-Rooted Technologies , 2017, 2017 IEEE 37th International Conference on Distributed Computing Systems (ICDCS).

[27]  Heng Yin,et al.  Code Injection Attacks on HTML5-based Mobile Apps: Characterization, Detection and Mitigation , 2014, CCS.

[28]  Dan S. Wallach,et al.  Total Recall: Persistence of Passwords in Android , 2019, NDSS.

[29]  Marco Pistoia,et al.  Dynamic detection of inter-application communication vulnerabilities in Android , 2015, ISSTA.

[30]  P. Gauravaram,et al.  Security Analysis of salt||password Hashes , 2012, 2012 International Conference on Advanced Computer Science Applications and Technologies (ACSAT).

[31]  Jeffrey Dean,et al.  Efficient Estimation of Word Representations in Vector Space , 2013, ICLR.

[32]  Wojciech Mazurczyk,et al.  User perspective and security of a new mobile authentication method , 2018, Telecommun. Syst..

[33]  Yijun Yu,et al.  Mining java class naming conventions , 2011, 2011 27th IEEE International Conference on Software Maintenance (ICSM).

[34]  Athanasios V. Vasilakos,et al.  A Markov adversary model to detect vulnerable iOS devices and vulnerabilities in iOS apps , 2017, Appl. Math. Comput..

[35]  William K. Robertson,et al.  CuriousDroid: Automated User Interface Interaction for Android Application Analysis Sandboxes , 2016, Financial Cryptography.

[36]  Alessandro Armando,et al.  Large-Scale Analysis & Detection of Authentication Cross-Site Request Forgeries , 2017, 2017 IEEE European Symposium on Security and Privacy (EuroS&P).

[37]  Shanqing Guo,et al.  Automatically Detecting SSL Error-Handling Vulnerabilities in Hybrid Mobile Web Apps , 2015, AsiaCCS.

[38]  Joseph A. Cazier,et al.  Password Security: An Empirical Investigation into E-Commerce Passwords and Their Crack Times , 2006, Inf. Secur. J. A Glob. Perspect..

[39]  Craig Metz,et al.  A One-Time Password System , 1996, RFC.

[40]  Robert H. Deng,et al.  CDRep: Automatic Repair of Cryptographic Misuses in Android Applications , 2016, AsiaCCS.

[41]  Jean-Pierre Seifert,et al.  SMS-Based One-Time Passwords: Attacks and Defense - (Short Paper) , 2013, DIMVA.

[42]  Donald E. Eastlake,et al.  Randomness Recommendations for Security , 1994, RFC.

[43]  Guofei Gu,et al.  TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection , 2010, 2010 IEEE Symposium on Security and Privacy.

[44]  Lawrence C. Stewart,et al.  HTTP Authentication: Basic and Digest Access Authentication , 1999 .