Zeyu Lei (Purdue University), Yuhong Nan (Purdue University), Yanick Fratantonio (Eurecom & Cisco Talos), Antonio Bianchi (Purdue University)

SMS messages containing One-Time Passwords (OTPs) are a widely used mechanism for performing authentication in mobile applications. In fact, many popular apps use OTPs received via SMS as the only authentication factor, entirely replacing password-based authentication schemes. Although SMS OTP authentication mechanisms provide significant convenience to end-users, they also have significant security implications. In this paper, we study these mobile apps' authentication schemes based on SMS OTPs, and, in particular, we perform a systematic study on the threats posed by ``local attacks,'' a scenario in which an attacker has control over an unprivileged third-party app on the victim's device.

This study was carried out using a combination of reverse engineering, formal verification, user studies, and large-scale automated analysis. Our work not only revealed vulnerabilities in third-party apps, but it also uncovered several new design and implementation flaws in core APIs implemented by the mobile operating systems themselves. For instance, we found two official Android APIs to be vulnerable by design, i.e., APIs that inevitably lead to the implementation of insecure authentication schemes, even when used according to their documentation. Moreover, we found that other APIs are prone to be used unsafely by apps' developers.

Our large-scale study found 36 apps, sharing hundreds of millions of installations, that misuse these APIs, allowing a malicious local attacker to completely hijack their accounts. Such vulnerable apps include Telegram and KakaoTalk, some of the most popular messaging apps worldwide. Finally, we proposed a new and safer mechanism to perform SMS-based authentication, and we prove its safety using formal verification.

View More Papers

Sn4ke: Practical Mutation Analysis of Tests at Binary Level

Mohsen Ahmadi (Arizona State University), Pantea Kiaei (Worcester Polytechnic Institute), Navid Emamdoost (University of Minnesota)

Read More

IoTSafe: Enforcing Safety and Security Policy with Real IoT...

Wenbo Ding (Clemson University), Hongxin Hu (University at Buffalo), Long Cheng (Clemson University)

Read More

Detecting Kernel Memory Leaks in Specialized Modules with Ownership...

Navid Emamdoost (University of Minnesota), Qiushi Wu (University of Minnesota), Kangjie Lu (University of Minnesota), Stephen McCamant (University of Minnesota)

Read More

Cross-National Study on Phishing Resilience

Shakthidhar Reddy Gopavaram (Indiana University), Jayati Dev (Indiana University), Marthie Grobler (CSIRO’s Data61), DongInn Kim (Indiana University), Sanchari Das (University of Denver), L. Jean Camp (Indiana University)

Read More