Enhancing the security of One-Tap Authentication services via dynamic application identification

Author

Di LIU
Dawei LI
Yuxiao GUO
Ying GUO
Ruinan HU
Jianwei LIU
Song BIAN
Xuhua DING, Singapore Management UniversityFollow
Yizhong LIU
Zhenyu GUAN

Publication Type

Journal Article

Publication Date

11-2025

Abstract

The One-Tap Authentication (OTAuth) service enables users to quickly log in or sign up for app accounts using their phone number. OTAuth provides a more secure and convenient alternative to password-based and Short Message Service (SMS)-based authentication schemes. Consequently, the OTAuth service has been adopted by numerous Mobile Network Operators (MNOs) worldwide. However, a high severity vulnerability remains unaddressed in the OTAuth service, which allows an attacker to access a victim’s various app accounts, posing a significant risk to user privacy and data security. In this paper, we present LoadShow, which, to the best of our knowledge, is the first security-enhanced OTAuth scheme to address this vulnerability. We propose a novel dynamic application identification technique that aims to address the root cause of this vulnerability, i.e., the inability of MNOs to distinguish between different applications on the same device. Specifically, application identification is based on the hardware load side-channel and captures the unique CPU and GPU load characteristics of applications through the sequence of timing values of fingerprinting functions. We evaluate the effectiveness of LoadShow by accuracy, False Positive Rate (FPR), and True Positive Rate (TPR). We also evaluate its multi-platform compatibility on devices with different architectures and models. LoadShow achieves over 90% accuracy, with a TPR exceeding 90% and an FPR below 1%. The evaluation results demonstrate LoadShow’s capability to effectively differentiate between applications on a device, defend against app impersonation attacks, and reliably identify legitimate applications.

Keywords

One-tap authentication, application identification, cellular network, mobile security

Discipline

Information Security

Research Areas

Cybersecurity

Publication

IEEE Transactions on Information Forensics and Security

Volume

20

First Page

10231

Last Page

10245

ISSN

1556-6013

Identifier

10.1109/TIFS.2025.3607232

Publisher

Institute of Electrical and Electronics Engineers

Citation

LIU, Di; LI, Dawei; GUO, Yuxiao; GUO, Ying; HU, Ruinan; LIU, Jianwei; BIAN, Song; DING, Xuhua; LIU, Yizhong; and GUAN, Zhenyu. Enhancing the security of One-Tap Authentication services via dynamic application identification. (2025). IEEE Transactions on Information Forensics and Security. 20, 10231-10245.
Available at: https://ink.library.smu.edu.sg/sis_research/10997

Additional URL

https://doi.org/10.1109/TIFS.2025.3607232