More than just a random number generator! Unveiling the security and privacy risks of mobile OTP authenticator apps

Muhammad Ikram, I Wayan Budi Sentana, Hassan Asghar, Dali Kaafar, Michal Kepkowski

Research output: Contribution to conferencePaperpeer-review

Abstract

One-Time Passwords (OTPs) are a crucial component of multi-factor authentication (MFA) systems, providing additional security by requiring users to supply a dynamically gen- erated code for authenticating to web services. The growth in smartphone usage has resulted in a shift from hardware tokens to mobile app-based OTP authenticators; however, these apps also present potential security and privacy threats.

In this paper, we present a comprehensive analysis of 182 publicly available OTP apps on Google Play. Our analysis entails an array of passive and active measurements meticulously designed to assess the security and privacy attributes inherent to each OTP application. We investigate the presence of suspicious libraries, usage of binary protections, access to root privileges, se- cure backup and cryptographic mechanisms, and protection against traffic interception, as well as gauge users’ perceptions of the security and privacy features of OTP apps. Our experiments high- light several security and privacy weaknesses in instances of OTP apps. We observe that 28% of the analyzed apps are signed using a vulnerable version of the Android application signing mechanism. Over 40% of the OTP apps include third-party libraries leading to user information leakage to third-parties. 31.9% of the OTP applications are vulnerable to network interception, and only 13.2% possess the capability to detect devices that have been Jailbroken or rooted, which poses a significant concern. Our study highlights the need for better security and privacy guarantees in OTP apps and the importance of user awareness.
Original languageEnglish
Number of pages16
Publication statusAccepted/In press - 4 Sept 2024
Event International Web Information Systems Engineering conference - Doha, Doha, Qatar
Duration: 2 Dec 20245 Dec 2024
Conference number: 25
https://wise2024-qatar.com

Conference

Conference International Web Information Systems Engineering conference
Abbreviated titleWISE
Country/TerritoryQatar
CityDoha
Period2/12/245/12/24
Internet address

Cite this