Paper ACM

Presentation pdf

An Empirical Study of the SMS One-Time Password Authentication in Android Apps

A great quantity of user passwords nowadays has been leaked through security breaches of user accounts. To enhance the security of the Password Authentication Protocol (PAP) in such circumstance, Android app developers often implement a complementary One-Time Password (OTP) authentication by utilizing the short message service (SMS). Unfortunately, SMS is not specially designed as a secure service and thus an SMS One-Time Password is vulnerable to many attacks. To check whether a wide variety of currently used SMS OTP authentication protocols in Android apps are properly implemented, this paper presents an empirical study against them. We first derive a set of security rules, specified in technical RFC documents, for correctly implementing an SMS OTP authentication protocol. Since our goal is to determine whether a real-world OTP authentication scheme violates any of these security rules, we propose an automated analysis system, AUTH-EYE, to achieve this goal. Without accessing server source code, AUTH-EYE executes Android apps to trigger the OTP-relevant functionalities and then analyzes the OTP implementations including those proprietary ones. By only analyzing SMS responses, AUTH-EYE is able to assess the conformance of those implementations to our defined security rules and detect the insecure ones. In our empirical study, AUTH-EYE analyzed 3,303 Android apps with more than 3,000 users and found that 544 of them use SMS OTP authentication. The further detection of AUTH-EYE demonstrated a far-from-optimistic status: the implementations of 536 (98.5\%) out of the 544 apps violated at least one OTP authentication protocol security rule. The results indicate that Android app developers should seriously consider our discussed security rules and violations so as to implement SMS OTP properly