An empirical study of SMS one-time password authentication in Android apps

Author

Siqi MA
Runhan FENG
Juanru LI
Yang LIU
Surya NEPAL
Elisa BERTINO
Robert H. DENG, Singapore Management UniversityFollow
Zhuo MA
Sanjay JHA

Publication Type

Conference Proceeding Article

Version

publishedVersion

Publication Date

12-2019

Abstract

A great quantity of user passwords nowadays has been leaked through security breaches of user accounts. To enhance the security of the Password Authentication Protocol (PAP) in such circumstance, Android app developers often implement a complementary One-Time Password (OTP) authentication by utilizing the short message service (SMS). Unfortunately, SMS is not specially designed as a secure service and thus an SMS One-Time Password is vulnerable to many attacks. To check whether a wide variety of currently used SMS OTP authentication protocols in Android apps are properly implemented, this paper presents an empirical study against them. We first derive a set of rules from RFC documents as the guide to implement secure SMS OTP authentication protocol. Then we implement an automated analysis system, AUTH-EYE, to check whether a real-world OTP authentication scheme violates any of these rules. Without accessing server source code, AUTH-EYE executes Android apps to trigger the OTP-relevant functionalities and then analyzes the OTP implementations including those proprietary ones. By only analyzing SMS responses, AUTH-EYE is able to assess the conformance of those implementations to our recommended rules and identify the potentially insecure apps. In our empirical study, AUTH-EYE analyzed 3,303 popular Android apps and found that 544 of them adopt SMS OTP authentication. The further analysis of AUTH-EYE demonstrated a far-from-optimistic status: the implementations of 536 (98.5%) out of the 544 apps violate at least one of our defined rules. The results indicate that Android app developers should seriously consider our discussed security rules and violations so as to implement SMS OTP properly.

Discipline

Information Security

Research Areas

Cybersecurity

Publication

Proceedings of the 35th Annual Computer Security Applications Conference (ACSAC 2019)

First Page

339

Last Page

354

Identifier

10.1145/3359789.3359828

Publisher

ACM

City or Country

San Juan

Citation

MA, Siqi; FENG, Runhan; LI, Juanru; LIU, Yang; NEPAL, Surya; BERTINO, Elisa; DENG, Robert H.; MA, Zhuo; and JHA, Sanjay. An empirical study of SMS one-time password authentication in Android apps. (2019). Proceedings of the 35th Annual Computer Security Applications Conference (ACSAC 2019). 339-354.
Available at: https://ink.library.smu.edu.sg/sis_research/4628

Creative Commons License

This work is licensed under a Creative Commons Attribution-NonCommercial-No Derivative Works 4.0 International License.

Additional URL

https://doi.org/10.1145/3359789.3359828