An empirical study of SMS one-time password authentication in Android apps
A great quantity of user passwords nowadays has been leaked through security breaches of user accounts. To enhance the security of the Password Authentication Protocol (PAP) in such circumstance, Android app developers often implement a complementary One-Time Password (OTP) authentication by utilizi...
Saved in:
| Main Authors: | , , , , , , , , |
|---|---|
| Format: | text |
| Language: | English |
| Published: |
Institutional Knowledge at Singapore Management University
2019
|
| Subjects: | |
| Online Access: | https://ink.library.smu.edu.sg/sis_research/4628 https://ink.library.smu.edu.sg/context/sis_research/article/5631/viewcontent/p339_ma.pdf |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Institution: | Singapore Management University |
| Language: | English |
| id |
sg-smu-ink.sis_research-5631 |
|---|---|
| record_format |
dspace |
| spelling |
sg-smu-ink.sis_research-56312020-01-02T08:44:10Z An empirical study of SMS one-time password authentication in Android apps MA, Siqi FENG, Runhan LI, Juanru LIU, Yang NEPAL, Surya BERTINO, Elisa DENG, Robert H. MA, Zhuo JHA, Sanjay A great quantity of user passwords nowadays has been leaked through security breaches of user accounts. To enhance the security of the Password Authentication Protocol (PAP) in such circumstance, Android app developers often implement a complementary One-Time Password (OTP) authentication by utilizing the short message service (SMS). Unfortunately, SMS is not specially designed as a secure service and thus an SMS One-Time Password is vulnerable to many attacks. To check whether a wide variety of currently used SMS OTP authentication protocols in Android apps are properly implemented, this paper presents an empirical study against them. We first derive a set of rules from RFC documents as the guide to implement secure SMS OTP authentication protocol. Then we implement an automated analysis system, AUTH-EYE, to check whether a real-world OTP authentication scheme violates any of these rules. Without accessing server source code, AUTH-EYE executes Android apps to trigger the OTP-relevant functionalities and then analyzes the OTP implementations including those proprietary ones. By only analyzing SMS responses, AUTH-EYE is able to assess the conformance of those implementations to our recommended rules and identify the potentially insecure apps. In our empirical study, AUTH-EYE analyzed 3,303 popular Android apps and found that 544 of them adopt SMS OTP authentication. The further analysis of AUTH-EYE demonstrated a far-from-optimistic status: the implementations of 536 (98.5%) out of the 544 apps violate at least one of our defined rules. The results indicate that Android app developers should seriously consider our discussed security rules and violations so as to implement SMS OTP properly. 2019-12-01T08:00:00Z text application/pdf https://ink.library.smu.edu.sg/sis_research/4628 info:doi/10.1145/3359789.3359828 https://ink.library.smu.edu.sg/context/sis_research/article/5631/viewcontent/p339_ma.pdf http://creativecommons.org/licenses/by-nc-nd/4.0/ Research Collection School Of Computing and Information Systems eng Institutional Knowledge at Singapore Management University Information Security |
| institution |
Singapore Management University |
| building |
SMU Libraries |
| continent |
Asia |
| country |
Singapore Singapore |
| content_provider |
SMU Libraries |
| collection |
InK@SMU |
| language |
English |
| topic |
Information Security |
| spellingShingle |
Information Security MA, Siqi FENG, Runhan LI, Juanru LIU, Yang NEPAL, Surya BERTINO, Elisa DENG, Robert H. MA, Zhuo JHA, Sanjay An empirical study of SMS one-time password authentication in Android apps |
| description |
A great quantity of user passwords nowadays has been leaked through security breaches of user accounts. To enhance the security of the Password Authentication Protocol (PAP) in such circumstance, Android app developers often implement a complementary One-Time Password (OTP) authentication by utilizing the short message service (SMS). Unfortunately, SMS is not specially designed as a secure service and thus an SMS One-Time Password is vulnerable to many attacks. To check whether a wide variety of currently used SMS OTP authentication protocols in Android apps are properly implemented, this paper presents an empirical study against them. We first derive a set of rules from RFC documents as the guide to implement secure SMS OTP authentication protocol. Then we implement an automated analysis system, AUTH-EYE, to check whether a real-world OTP authentication scheme violates any of these rules. Without accessing server source code, AUTH-EYE executes Android apps to trigger the OTP-relevant functionalities and then analyzes the OTP implementations including those proprietary ones. By only analyzing SMS responses, AUTH-EYE is able to assess the conformance of those implementations to our recommended rules and identify the potentially insecure apps. In our empirical study, AUTH-EYE analyzed 3,303 popular Android apps and found that 544 of them adopt SMS OTP authentication. The further analysis of AUTH-EYE demonstrated a far-from-optimistic status: the implementations of 536 (98.5%) out of the 544 apps violate at least one of our defined rules. The results indicate that Android app developers should seriously consider our discussed security rules and violations so as to implement SMS OTP properly. |
| format |
text |
| author |
MA, Siqi FENG, Runhan LI, Juanru LIU, Yang NEPAL, Surya BERTINO, Elisa DENG, Robert H. MA, Zhuo JHA, Sanjay |
| author_facet |
MA, Siqi FENG, Runhan LI, Juanru LIU, Yang NEPAL, Surya BERTINO, Elisa DENG, Robert H. MA, Zhuo JHA, Sanjay |
| author_sort |
MA, Siqi |
| title |
An empirical study of SMS one-time password authentication in Android apps |
| title_short |
An empirical study of SMS one-time password authentication in Android apps |
| title_full |
An empirical study of SMS one-time password authentication in Android apps |
| title_fullStr |
An empirical study of SMS one-time password authentication in Android apps |
| title_full_unstemmed |
An empirical study of SMS one-time password authentication in Android apps |
| title_sort |
empirical study of sms one-time password authentication in android apps |
| publisher |
Institutional Knowledge at Singapore Management University |
| publishDate |
2019 |
| url |
https://ink.library.smu.edu.sg/sis_research/4628 https://ink.library.smu.edu.sg/context/sis_research/article/5631/viewcontent/p339_ma.pdf |
| _version_ |
1770574943298256896 |