More Web Proxy on the site http://driver.im/

research-article

An empirical study of SMS one-time password authentication in Android apps

Authors:

Robert H. Deng,

Sanjay JhaAuthors Info & Claims

ACSAC '19: Proceedings of the 35th Annual Computer Security Applications Conference

Pages 339 - 354

https://doi.org/10.1145/3359789.3359828

Published: 09 December 2019 Publication History

Abstract

A great quantity of user passwords nowadays has been leaked through security breaches of user accounts. To enhance the security of the Password Authentication Protocol (PAP) in such circumstance, Android app developers often implement a complementary One-Time Password (OTP) authentication by utilizing the short message service (SMS). Unfortunately, SMS is not specially designed as a secure service and thus an SMS One-Time Password is vulnerable to many attacks. To check whether a wide variety of currently used SMS OTP authentication protocols in Android apps are properly implemented, this paper presents an empirical study against them. We first derive a set of rules from RFC documents as the guide to implement secure SMS OTP authentication protocol. Then we implement an automated analysis system, AUTH-EYE, to check whether a real-world OTP authentication scheme violates any of these rules. Without accessing server source code, AUTH-EYE executes Android apps to trigger the OTP-relevant functionalities and then analyzes the OTP implementations including those proprietary ones. By only analyzing SMS responses, AUTH-EYE is able to assess the conformance of those implementations to our recommended rules and identify the potentially insecure apps. In our empirical study, AUTH-EYE analyzed 3,303 popular Android apps and found that 544 of them adopt SMS OTP authentication. The further analysis of AUTH-EYE demonstrated a far-from-optimistic status: the implementations of 536 (98.5%) out of the 544 apps violate at least one of our defined rules. The results indicate that Android app developers should seriously consider our discussed security rules and violations so as to implement SMS OTP properly.

References

[1]

Android [n. d.]. UI Automator. https://developer.android.com/training/testing/ui-automator.

[2]

Android. [n. d.]. UI/Application Exerciser Monkey Tool. https://developer.android.com/studio/test/monkey.

[3]

Paul Ashley, Heather Hinton, and Mark Vandenwauver. 2001. Wired versus wireless security: The Internet, WAP and iMode for e-commerce. In In Proceedings of the 17th Annual Computer Security Applications Conference (ACSAC). IEEE, 296--306.

[4]

Zhongjie Ba and Kui Ren. 2017. Addressing smartphone-based multi-factor authentication via hardware-rooted technologies. In In Proceedings of the 37th IEEE International Conference on Distributed Computing Systems (ICDCS). IEEE, 1910--1914.

[5]

CITI Bank. [n. d.]. CITI Bank Mobile Token. https://www.citibank.com.au/aus/banking/citi-mobile-token.htm.

[6]

Antonio Bianchi, Eric Gustafson, Yanick Fratantonio, Christopher Kruegel, and Giovanni Vigna. 2017. Exploitation and mitigation of authentication schemes based on device-public information. In In Proceedings of the 33rd Annual Computer Security Applications Conference (ACSAC). ACM, 16--27.

Digital Library

[7]

Joseph Bonneau, Cormac Herley, Paul C Van Oorschot, and Frank Stajano. 2012. The quest to replace passwords: A framework for comparative evaluation of web authentication schemes. In In Proceedings of the 33rd IEEE Symposium on Security and Privacy (S & P). IEEE, 553--567.

Digital Library

[8]

Sven Bugiel, Stephen Heuser, and Ahmad-Reza Sadeghi. 2013. Flexible and fine-grained mandatory access control on android for diverse security and privacy policies. In In Proceedings of the 22nd Usenix Security Symposium (USENIX). 131--146.

[9]

Simon Butler, Michel Wermelinger, Yijun Yu, and Helen Sharp. 2011. Mining java class naming conventions. In In the proceedings of the 27th IEEE International Conference on Software Maintenance (ICSM). IEEE, 93--102.

Digital Library

[10]

Patrick Carter, Collin Mulliner, Martina Lindorfer, William Robertson, and Engin Kirda. 2016. CuriousDroid: automated user interface interaction for android application analysis sandboxes. In International Conference on Financial Cryptography and Data Security. Springer, 231--249.

[11]

Joseph A Cazier and B Dawn Medlin. 2006. Password security: An empirical investigation into e-commerce passwords and their crack times. The Journal of Information Systems Security 15, 6 (2006), 45--55.

[12]

Alexandra Dmitrienko, Christopher Liebchen, Christian Rossow, and Ahmad-Reza Sadeghi. 2014. On the (in) security of mobile two-factor authentication. In In Proceedings of the 18th International Conference on Financial Cryptography and Data Security (FC). Springer, 365--383.

[13]

Christian J D'Orazio, Rongxing Lu, Kim-Kwang Raymond Choo, and Athanasios V Vasilakos. 2017. A Markov adversary model to detect vulnerable iOS devices and vulnerabilities in iOS apps. The Journal of Applied Mathematics and Computation 293 (2017), 523--544.

Digital Library

[14]

D Eastlake 3rd, Steve Crocker, and Jeff Schiller. 1994. Randomness recommendations for security. Technical Report.

[15]

D Eastlake 3rd, J Schiller, and Steve Crocker. 2005. Randomness requirements for security. Technical Report.

[16]

Mohamed Hamdy Eldefrawy, Khaled Alghathbar, and Muhammad Khurram Khan. 2011. OTP-based two-factor authentication using mobile phones. In In Proceedings of the 8th International Conference on Information Technology: New Generations (ITNG). IEEE, 327--331.

Digital Library

[17]

Ming Fan, Jun Liu, Xiapu Luo, Kai Chen, Zhenzhou Tian, Qinghua Zheng, and Ting Liu. 2018. Android malware familial classification and representative sample selection via frequent subgraph analysis. The Journal of IEEE Transactions on Information Forensics and Security (TIFS) 13, 8 (2018), 1890--1905.

[18]

John Franks, Phillip Hallam-Baker, Jeffrey Hostetler, Scott Lawrence, Paul Leach, Ari Luotonen, and Lawrence Stewart. 1999. HTTP authentication: Basic and digest access authentication. Technical Report.

[19]

Praveen Gauravaram. 2012. Security Analysis of salt|| password Hashes. In In Proceedings of the 1st International Conference on Advanced Computer Science Applications and Technologies (ACSAT). IEEE, 25--30.

[20]

Google. [n. d.]. Google Authenticator. https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2&hl=en_AU.

[21]

Nancie Gunson, Diarmid Marshall, Hazel Morton, and Mervyn Jack. 2011. User perceptions of security and usability of single-factor and two-factor authentication in automated telephone banking. The International Journal of Computers & Security 30, 4 (2011), 208--220.

Digital Library

[22]

Neil Haller, Craig Metz, Phil Nesser, and Mike Straw. 1998. A one-time password system. Technical Report.

Digital Library

[23]

Safa Hamdare, Varsha Nagpurkar, and Jayashri Mittal. 2014. Securing SMS based one time password technique from Man in the middle attack. arXiv preprint arXiv:1405.4828 (2014).

[24]

Roee Hay, Omer Tripp, and Marco Pistoia. 2015. Dynamic detection of inter-application communication vulnerabilities in Android. In In Proceedings of the 24th International Symposium on Software Testing and Analysis (ISSTA). ACM, 118--128.

Digital Library

[25]

Kyle Ingols, Richard Lippmann, and Keith Piwowarski. 2006. Practical attack graph generation for network defense. In In Proceedings of the 22nd IEEE Annual Computer Security Applications Conference (ACSAC). IEEE, 121--130.

Digital Library

[26]

Jongpil Jeong, Min Young Chung, and Hyunseung Choo. 2008. Integrated OTP-based user authentication scheme using smart cards in home networks. In In Proceedings of the 41st Annual Hawaii International Conference on System Sciences (HICSS 2008). IEEE, 294--294.

Digital Library

[27]

Xing Jin, Xuchao Hu, Kailiang Ying, Wenliang Du, Heng Yin, and Gautam Nagesh Peri. 2014. Code injection attacks on html5-based mobile apps: Characterization, detection and mitigation. In In Proceedings of the 21st ACM SIGSAC Conference on Computer and Communications Security (CCS). ACM, 66--77.

Digital Library

[28]

Pawel Laka and Wojciech Mazurczyk. 2018. User perspective and security of a new mobile authentication method. The Journal of Telecommunication Systems 69, 3 (2018), 365--379.

Digital Library

[29]

Leslie Lamport. 1981. Password authentication with insecure communication. The Journal of Communications of the ACM 24, 11 (1981), 770--772.

Digital Library

[30]

Jaeho Lee, Ang Chen, and Dan S Wallach. 2019. Total Recall: Persistence of Passwords in Android. In In Proceedings of The Network and Distributed System Security Symposium (NDSS).

[31]

Siqi Ma, David Lo, Teng Li, and Robert H Deng. 2016. Cdrep: Automatic repair of cryptographic misuses in android applications. In In Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security (ASIACCS). ACM, 711--722.

Digital Library

[32]

Siqi Ma, Shaowei Wang, David Lo, Robert Huijie Deng, and Cong Sun. 2015. Active semi-supervised approach for checking app behavior against its description. In In Proceedings of the 39th IEEE Annual Computer Software and Applications Conference (ICSAC), Vol. 2. IEEE, 179--184.

Digital Library

[33]

Christopher D Manning, Christopher D Manning, and Hinrich Schütze. 1999. Foundations of statistical natural language processing. MIT press.

[34]

Tomas Mikolov, Kai Chen, Greg Corrado, and Jeffrey Dean. 2013. Efficient estimation of word representations in vector space. arXiv preprint arXiv:1301.3781 (2013).

[35]

David M'Raihi, Mihir Bellare, Frank Hoornaert, David Naccache, and Ohad Ranen. 2005. Hotp: An hmac-based one-time password algorithm. Technical Report.

[36]

David M'Raihi, Salah Machani, Mingliang Pei, and Johan Rydell. 2011. Totp: Time-based one-time password algorithm. Technical Report.

[37]

Collin Mulliner, Ravishankar Borgaonkar, Patrick Stewin, and Jean-Pierre Seifert. 2013. SMS-based one-time passwords: attacks and defense. In In Proceedings of the 10th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA). Springer, 150--159.

Digital Library

[38]

PortSwigger. [n. d.]. Burp Suite. https://portswigger.net/burp.

[39]

William K Pratt, Julius Kane, and Harry C Andrews. 1969. Hadamard transform image coding. In Proceedings of the IEEE Journals and Magazines 57, 1 (1969), 58--68.

[40]

Blake Ross, Collin Jackson, Nick Miyake, Dan Boneh, and John C Mitchell. 2005. Stronger Password Authentication Using Browser Extensions. In In Proceedings of the 14th Usenix Security Symposium (USENIX). Baltimore, MD, USA, 17--32.

[41]

SnowBall. [n. d.]. Porter Stemmer. http://tartarus.org/martin/PorterStemmer/java.txt.

[42]

PNF Software. [n. d.]. JEB Decompiler. https://www.pnfsoftware.com/.

[43]

Avinash Sudhodanan, Roberto Carbone, Luca Compagna, Nicolas Dolgin, Alessandro Armando, and Umberto Morelli. 2017. Large-scale analysis & detection of authentication cross-site request forgeries. In In Proceedings of the 2nd IEEE European Symposium on Security and Privacy (EuroS&P). IEEE, 350--365.

[44]

He Sun, Kun Sun, Yuewu Wang, and Jiwu Jing. 2015. TrustOTP: Transforming smartphones into secure one-time password tokens. In In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (CCS). ACM, 976--988.

Digital Library

[45]

Mariano Luis T Uymatiao and William Emmanuel S Yu. 2014. Time-based OTP authentication via secure tunnel (TOAST): A mobile TOTP scheme using TLS seed exchange and encrypted offline keystore. In In Proceedings of the 4th IEEE International Conference on Information Science and Technology (ICIST). IEEE, 225--229.

[46]

Ignacio Velásquez, Angélica Caro, and Alfonso Rodríguez. 2018. Authentication schemes and methods: A systematic literature review. The International Journal of Information and Software Technology 94 (2018), 30--37.

Digital Library

[47]

Dong Wang, Xiaosong Zhang, Jiang Ming, Ting Chen, Chao Wang, and Weina Niu. 2018. Resetting Your Password Is Vulnerable: A Security Study of Common SMS-Based Authentication in IoT Device. The Journal of Wireless Communications and Mobile Computing 2018 (2018).

[48]

Hui Wang, Yuanyuan Zhang, Juanru Li, Hui Liu, Wenbo Yang, Bodong Li, and Dawu Gu. 2015. Vulnerability assessment of oauth implementations in android applications. In In Proceedings of the 31st Annual Computer Security Applications Conference (ACSAC). ACM, 61--70.

Digital Library

[49]

Tielei Wang, Tao Wei, Guofei Gu, and Wei Zou. 2010. TaintScope: A checksum-aware directed fuzzing tool for automatic software vulnerability detection. In In Proceedings of the 31st IEEE Symposium on Security and Privacy (S & P). IEEE, 497--512.

Digital Library

[50]

R Winsniewski. 2012. Android-apktool: A tool for reverse engineering android apk files.

[51]

Changsok Yoo, Byung-Tak Kang, and Huy Kang Kim. 2015. Case study of the vulnerability of OTP implemented in internet banking systems of South Korea. The Journal of Multimedia Tools and Applications 74, 10 (2015), 3289--3303.

Digital Library

[52]

Chaoshun Zuo and Zhiqiang Lin. 2017. Smartgen: Exposing server urls of mobile apps with selective symbolic execution. In In Proceedings of the 26th International Conference on World Wide Web (WWW). International World Wide Web Conferences Steering Committee, 867--876.

Digital Library

[53]

Chaoshun Zuo, Jianliang Wu, and Shanqing Guo. 2015. Automatically detecting ssl error-handling vulnerabilities in hybrid mobile web apps. In In Proceedings of the 10th ACM on Asia Conference on Computer and Communications Security (ASIACCS). ACM, 591--596.

Digital Library

Cited By

Alsheavi AHawbani AOthman WWANG XQaid GZhao LAl-Dubai AZhi LIsmail AJhaveri RAlsamhi SAl-qaness M(2024)IoT Authentication Protocols: Challenges, and Comparative AnalysisACM Computing Surveys10.1145/3703444Online publication date: 30-Nov-2024
https://dl.acm.org/doi/10.1145/3703444
Kruzikova ASuchanek JBroz MUkrop MMatyas V(2024)What Johnny thinks about using two-factor authentication on GitHub: A survey among open-source developersProceedings of the 19th International Conference on Availability, Reliability and Security10.1145/3664476.3670885(1-11)Online publication date: 30-Jul-2024
https://dl.acm.org/doi/10.1145/3664476.3670885
Yamaguchi SGomi HUehara T(2024)User Verification System using Location-based Dynamic Questions for Account Recovery2024 IEEE Security and Privacy Workshops (SPW)10.1109/SPW63631.2024.00006(9-16)Online publication date: 23-May-2024
https://doi.org/10.1109/SPW63631.2024.00006
Show More Cited By

Index Terms

An empirical study of SMS one-time password authentication in Android apps
1. Security and privacy
  1. Security services
    1. Authentication
      1. Multi-factor authentication
  2. Software and application security
    1. Software reverse engineering
    2. Software security engineering

Recommendations

Finding Flaws from Password Authentication Code in Android Apps
Computer Security – ESORICS 2019
Abstract
Password authentication is widely used to validate users’ identities because it is convenient to use, easy for users to remember, and simple to implement. The password authentication protocol transmits passwords in plaintext, which makes the ...
A secure dynamic identity based authentication protocol for multi-server architecture

Most of the password based authentication protocols rely on single authentication server for the user's authentication. User's verification information stored on the single server is a main point of susceptibility and remains an attractive target for ...
Secure Dynamic Identity-Based Authentication Scheme Using Smart Cards

In 2004, Das et al. proposed a dynamic identity-based remote user authentication scheme using smart cards. This scheme allows users to choose and change their passwords freely, and the server does not maintain any verification table. Das et al. claimed ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Other conferences

ACSAC '19: Proceedings of the 35th Annual Computer Security Applications Conference

December 2019

821 pages

ISBN:9781450376280

DOI:10.1145/3359789

Conference Chair:
David Balenson
SRI International

Copyright © 2019 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 09 December 2019

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

CSIRO Research Office
the Major Project of Ministry of Industry and Information Technology of China ([2018] No.36).
the General Program of National Natural Science Foundation of China
the Key Program of National Natural Science Foundation of China

Conference

ACSAC '19

ACSAC '19: 2019 Annual Computer Security Applications Conference

December 9 - 13, 2019

Puerto Rico, San Juan, USA

Acceptance Rates

ACSAC '19 Paper Acceptance Rate 60 of 266 submissions, 23%;

Overall Acceptance Rate 104 of 497 submissions, 21%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

23
Total Citations
View Citations
715
Total Downloads

Downloads (Last 12 months)84
Downloads (Last 6 weeks)8

Reflects downloads up to 17 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Alsheavi AHawbani AOthman WWANG XQaid GZhao LAl-Dubai AZhi LIsmail AJhaveri RAlsamhi SAl-qaness M(2024)IoT Authentication Protocols: Challenges, and Comparative AnalysisACM Computing Surveys10.1145/3703444Online publication date: 30-Nov-2024
https://dl.acm.org/doi/10.1145/3703444
Kruzikova ASuchanek JBroz MUkrop MMatyas V(2024)What Johnny thinks about using two-factor authentication on GitHub: A survey among open-source developersProceedings of the 19th International Conference on Availability, Reliability and Security10.1145/3664476.3670885(1-11)Online publication date: 30-Jul-2024
https://dl.acm.org/doi/10.1145/3664476.3670885
Yamaguchi SGomi HUehara T(2024)User Verification System using Location-based Dynamic Questions for Account Recovery2024 IEEE Security and Privacy Workshops (SPW)10.1109/SPW63631.2024.00006(9-16)Online publication date: 23-May-2024
https://doi.org/10.1109/SPW63631.2024.00006
Yang YWang JLiu PFu AZhang Y(2024)Uncovering Access Token Security Flaws in Multiuser Scenario of Smart Home PlatformsIEEE Internet of Things Journal10.1109/JIOT.2024.342941711:22(36841-36857)Online publication date: 15-Nov-2024
https://doi.org/10.1109/JIOT.2024.3429417
Ikram MSentana IAsghar HKaafar MKepkowski M(2024)More Than Just a Random Number Generator! Unveiling the Security and Privacy Risks of Mobile OTP Authenticator AppsWeb Information Systems Engineering – WISE 202410.1007/978-981-96-0576-7_14(177-192)Online publication date: 27-Nov-2024
https://doi.org/10.1007/978-981-96-0576-7_14
Almeida LFernández BZambrano DAlmachi APillajo HYoo S(2024)One-Time Passwords: A Literary Review of Different Protocols and Their ApplicationsAdvanced Research in Technologies, Information, Innovation and Sustainability10.1007/978-3-031-48855-9_16(205-219)Online publication date: 3-Jan-2024
https://doi.org/10.1007/978-3-031-48855-9_16
Yamaguchi SGomi HUehara T(2023)Enhancing Account Recovery with Location-based Dynamic Questions2023 IEEE 23rd International Conference on Software Quality, Reliability, and Security Companion (QRS-C)10.1109/QRS-C60940.2023.00061(532-539)Online publication date: 22-Oct-2023
https://doi.org/10.1109/QRS-C60940.2023.00061
Pöhn DGruschka NZiegler LBüttner A(2023)A framework for analyzing authentication risks in account networksComputers and Security10.1016/j.cose.2023.103515135:COnline publication date: 1-Dec-2023
https://dl.acm.org/doi/10.1016/j.cose.2023.103515
Aparicio AMartínez-González MCardeñoso-Payo V(2023)App-based detection of vulnerable implementations of OTP SMS APIs in the banking sectorWireless Networks10.1007/s11276-023-03455-wOnline publication date: 22-Jul-2023
https://doi.org/10.1007/s11276-023-03455-w
Almeida LFernández BZambrano DAlmachi APillajo HYoo S(2023)A Complete One-Time Passwords (OTP) Solution Using Microservices: A Theoretical and Practical ApproachInnovations for Community Services10.1007/978-3-031-40852-6_4(68-86)Online publication date: 1-Sep-2023
https://doi.org/10.1007/978-3-031-40852-6_4
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents