Go to DBLP homepageMore Than Just a Random Number Generator! Unveiling the Security and Privacy Risks of Mobile OTP Authenticator Apps
Abstract: One-Time Passwords (OTPs) are a crucial component of multi-factor authentication (MFA) systems, providing additional security by requiring users to supply a dynamically generated code for authenticating to web services. The growth in smartphone usage has resulted in a shift from hardware tokens to mobile app-based OTP authenticators; however, these apps also present potential security and privacy threats. In this paper, we present a comprehensive analysis of 182 publicly available OTP apps on Google Play. Our analysis entails an array of passive and active measurements meticulously designed to assess the security and privacy attributes inherent to each OTP application. We investigate the presence of suspicious libraries, usage of binary protections, access to root privileges, secure backup and cryptographic mechanisms, and protection against traffic interception. Our experiments highlight several security and privacy weaknesses in instances of OTP apps. We observe that 28% of the analyzed apps are signed using a vulnerable version of the Android application signing mechanism. Over 40% of the OTP apps include third-party libraries leading to user information leakage to third-parties. 31.9% of the OTP applications are vulnerable to network interception, and only 13.2% possess the capability to detect devices that have been Jailbroken or rooted, which poses a significant concern. Our study highlights the need for better security and privacy guarantees in OTP apps and the importance of user awareness.
Loading