Abstract
One-Time Passwords (OTPs) are a crucial component of multi-factor authentication (MFA) systems, providing additional security by requiring users to supply a dynamically gen- erated code for authenticating to web services. The growth in smartphone usage has resulted in a shift from hardware tokens to mobile app-based OTP authenticators; however, these apps also present potential security and privacy threats.
In this paper, we present a comprehensive analysis of 182 publicly available OTP apps on Google Play. Our analysis entails an array of passive and active measurements meticulously designed to assess the security and privacy attributes inherent to each OTP application. We investigate the presence of suspicious libraries, usage of binary protections, access to root privileges, se- cure backup and cryptographic mechanisms, and protection against traffic interception, as well as gauge users’ perceptions of the security and privacy features of OTP apps. Our experiments high- light several security and privacy weaknesses in instances of OTP apps. We observe that 28% of the analyzed apps are signed using a vulnerable version of the Android application signing mechanism. Over 40% of the OTP apps include third-party libraries leading to user information leakage to third-parties. 31.9% of the OTP applications are vulnerable to network interception, and only 13.2% possess the capability to detect devices that have been Jailbroken or rooted, which poses a significant concern. Our study highlights the need for better security and privacy guarantees in OTP apps and the importance of user awareness.
In this paper, we present a comprehensive analysis of 182 publicly available OTP apps on Google Play. Our analysis entails an array of passive and active measurements meticulously designed to assess the security and privacy attributes inherent to each OTP application. We investigate the presence of suspicious libraries, usage of binary protections, access to root privileges, se- cure backup and cryptographic mechanisms, and protection against traffic interception, as well as gauge users’ perceptions of the security and privacy features of OTP apps. Our experiments high- light several security and privacy weaknesses in instances of OTP apps. We observe that 28% of the analyzed apps are signed using a vulnerable version of the Android application signing mechanism. Over 40% of the OTP apps include third-party libraries leading to user information leakage to third-parties. 31.9% of the OTP applications are vulnerable to network interception, and only 13.2% possess the capability to detect devices that have been Jailbroken or rooted, which poses a significant concern. Our study highlights the need for better security and privacy guarantees in OTP apps and the importance of user awareness.
Original language | English |
---|---|
Number of pages | 16 |
Publication status | Accepted/In press - 4 Sept 2024 |
Event | International Web Information Systems Engineering conference - Doha, Doha, Qatar Duration: 2 Dec 2024 → 5 Dec 2024 Conference number: 25 https://wise2024-qatar.com |
Conference
Conference | International Web Information Systems Engineering conference |
---|---|
Abbreviated title | WISE |
Country/Territory | Qatar |
City | Doha |
Period | 2/12/24 → 5/12/24 |
Internet address |