Exploitation and Mitigation of Authentication Schemes Based on Device-Public Information

“…To trigger the delivery of an SMS OTP message to the victim's device, we also assume that the attacker knows the phone number of the victim. This assumption is in-line with similar attacks performed in previous work [10]. There are a number of ways an attacker can obtain a victim's phone number.…”

“…These attacks consist of an adversary who controls a malicious app installed on a victim's mobile device. We note that this is a common threat model in the field of mobile security, in-line with prior works [9], [10], [49], [50], [64]. In fact, it is unfortunately feasible and practical for an attacker to include malicious functionality in a seemingly benign and useful app, and distribute it through app markets [34], [42].…”

“…Given that this research area is well explored and that there have been several proposals by both academia and industry (including Google's several attempts to provide such APIs) [9], [10], [12], [17], [23], [27], [28], [30], [46], [57], one may think that it is not possible to obtain a solution that achieves all these properties at the same time, and that there necessarily is some sort of trade-off. We believe that is not the case, and we offer a proposal that satisfies all these properties.…”

“…SMS-based authentication issues. Previous studies have identified a set of implementation issues [10], [45], which can result in a vulnerable SMS-based authentication scheme. For example, whether the OTP code generated with less entropy or with longer expiration time.…”

“…Although these attacks have been previously studied [10], [18], [20], [32], [46], modern devices and operating systems implement new APIs and mechanisms to ease developers and users' lives, when implementing and using SMS OTP authentication schemes. To the best of our knowledge, no study has systematically analyzed the security of these new mechanisms, and no study has performed a large-scale evaluation to determine the relevance and the impact of these threats.…”

On the Insecurity of SMS One-Time Password Messages against Local Attackers in Modern Mobile Devices

“…To trigger the delivery of an SMS OTP message to the victim's device, we also assume that the attacker knows the phone number of the victim. This assumption is in-line with similar attacks performed in previous work [10]. There are a number of ways an attacker can obtain a victim's phone number.…”

“…These attacks consist of an adversary who controls a malicious app installed on a victim's mobile device. We note that this is a common threat model in the field of mobile security, in-line with prior works [9], [10], [49], [50], [64]. In fact, it is unfortunately feasible and practical for an attacker to include malicious functionality in a seemingly benign and useful app, and distribute it through app markets [34], [42].…”

“…Given that this research area is well explored and that there have been several proposals by both academia and industry (including Google's several attempts to provide such APIs) [9], [10], [12], [17], [23], [27], [28], [30], [46], [57], one may think that it is not possible to obtain a solution that achieves all these properties at the same time, and that there necessarily is some sort of trade-off. We believe that is not the case, and we offer a proposal that satisfies all these properties.…”

“…SMS-based authentication issues. Previous studies have identified a set of implementation issues [10], [45], which can result in a vulnerable SMS-based authentication scheme. For example, whether the OTP code generated with less entropy or with longer expiration time.…”

“…Although these attacks have been previously studied [10], [18], [20], [32], [46], modern devices and operating systems implement new APIs and mechanisms to ease developers and users' lives, when implementing and using SMS OTP authentication schemes. To the best of our knowledge, no study has systematically analyzed the security of these new mechanisms, and no study has performed a large-scale evaluation to determine the relevance and the impact of these threats.…”

On the Insecurity of SMS One-Time Password Messages against Local Attackers in Modern Mobile Devices

Honey, I Shrunk Your App Security: The State of Android App Hardening

A survey of android application and malware hardening