TY - GEN
T1 - More than just a random number generator! Unveiling the security and privacy risks of mobile OTP authenticator apps
AU - Ikram, Muhammad
AU - Sentana, I. Wayan Budi
AU - Asghar, Hassan
AU - Kaafar, Mohamed Ali
AU - Kepkowski, Michal
PY - 2025
Y1 - 2025
N2 - One-Time Passwords (OTPs) are a crucial component of multi-factor authentication (MFA) systems, providing additional security by requiring users to supply a dynamically generated code for authenticating to web services. The growth in smartphone usage has resulted in a shift from hardware tokens to mobile app-based OTP authenticators; however, these apps also present potential security and privacy threats. In this paper, we present a comprehensive analysis of 182 publicly available OTP apps on Google Play. Our analysis entails an array of passive and active measurements meticulously designed to assess the security and privacy attributes inherent to each OTP application. We investigate the presence of suspicious libraries, usage of binary protections, access to root privileges, secure backup and cryptographic mechanisms, and protection against traffic interception. Our experiments highlight several security and privacy weaknesses in instances of OTP apps. We observe that 28% of the analyzed apps are signed using a vulnerable version of the Android application signing mechanism. Over 40% of the OTP apps include third-party libraries leading to user information leakage to third-parties. 31.9% of the OTP applications are vulnerable to network interception, and only 13.2% possess the capability to detect devices that have been Jailbroken or rooted, which poses a significant concern. Our study highlights the need for better security and privacy guarantees in OTP apps and the importance of user awareness.
AB - One-Time Passwords (OTPs) are a crucial component of multi-factor authentication (MFA) systems, providing additional security by requiring users to supply a dynamically generated code for authenticating to web services. The growth in smartphone usage has resulted in a shift from hardware tokens to mobile app-based OTP authenticators; however, these apps also present potential security and privacy threats. In this paper, we present a comprehensive analysis of 182 publicly available OTP apps on Google Play. Our analysis entails an array of passive and active measurements meticulously designed to assess the security and privacy attributes inherent to each OTP application. We investigate the presence of suspicious libraries, usage of binary protections, access to root privileges, secure backup and cryptographic mechanisms, and protection against traffic interception. Our experiments highlight several security and privacy weaknesses in instances of OTP apps. We observe that 28% of the analyzed apps are signed using a vulnerable version of the Android application signing mechanism. Over 40% of the OTP apps include third-party libraries leading to user information leakage to third-parties. 31.9% of the OTP applications are vulnerable to network interception, and only 13.2% possess the capability to detect devices that have been Jailbroken or rooted, which poses a significant concern. Our study highlights the need for better security and privacy guarantees in OTP apps and the importance of user awareness.
KW - OTP apps
KW - Security and privacy
KW - Static and dynamic analysis
UR - https://www.scopus.com/pages/publications/85211241713
U2 - 10.1007/978-981-96-0576-7_14
DO - 10.1007/978-981-96-0576-7_14
M3 - Conference proceeding contribution
AN - SCOPUS:85211241713
SN - 9789819605750
T3 - Lecture Notes in Computer Science
SP - 177
EP - 192
BT - Web Information Systems Engineering – WISE 2024
A2 - Barhamgi, Mahmoud
A2 - Wang, Hua
A2 - Wang, Xin
PB - Springer, Springer Nature
CY - Singapore
T2 - 25th International Conference on Web Information Systems Engineering, WISE 2024
Y2 - 2 December 2024 through 5 December 2024
ER -