RT info:eu-repo/semantics/conferenceObject T1 Vulnerabilities of the SMS Retriever API for the auto-matic verification of SMS OTP codes in the banking sector T2 UCAmI 2022: 14th International Conference on Ubiquitous Computing and Ambient Intelligence A1 Aparicio de la Fuente, Amador A1 Martínez González, María Mercedes A1 Cardeñoso Payo, Valentín AB One of the ways to authenticate users of mobile devices is by sending One Time Password (OTP) codes via SMS messages. In order to facilitate the use of these codes by customers, Google has proposed APIs that allow the automatic verifica-tion of the SMS messages without the intervention of the users themselves. One of these APIs is the SMS Retriever API for Android devices. This article presents a study of this API. Different scenarios of interaction between mobile apps and SMS OTP servers are posed to determine which implementations of the SMS Re-triever API are vulnerable. The study presented here focuses on Spain’s banking sector. The results show that there are vulnerable implementations which would allow cybercriminals to steal the users’ SMS OTP codes. The desirable equilibri-um between ease of use and security needs to be improved in order to maintain the high level of security which has traditionally characterized this sector. The proposed methodology, applied here to this particular sector (banking), is never-theless simple enough to be applied to any other sector. One of its advantages is that it proposes a method for detecting bad implementations of the SMS Retriever API on the server side, based analyses of the apps, which would make it easily applicable. PB Springer, Cham YR 2022 FD 2022 LK https://uvadoc.uva.es/handle/10324/59016 UL https://uvadoc.uva.es/handle/10324/59016 LA eng DS UVaDOC RD 26-dic-2024