Por favor, use este identificador para citar o enlazar este ítem:https://uvadoc.uva.es/handle/10324/59016
Título
Vulnerabilities of the SMS Retriever API for the auto-matic verification of SMS OTP codes in the banking sector
Otros títulos
UCAmI 2022: 14th International Conference on Ubiquitous Computing and Ambient Intelligence
Congreso
14th International Conference on Ubiquitous Computing and Ambient Intelligence
Año del Documento
2022
Editorial
Springer, Cham
Zusammenfassung
One of the ways to authenticate users of mobile devices is by sending One Time Password (OTP) codes via SMS messages. In order to facilitate the use of these codes by customers, Google has proposed APIs that allow the automatic verifica-tion of the SMS messages without the intervention of the users themselves. One of these APIs is the SMS Retriever API for Android devices. This article presents a study of this API. Different scenarios of interaction between mobile apps and SMS OTP servers are posed to determine which implementations of the SMS Re-triever API are vulnerable. The study presented here focuses on Spain’s banking sector. The results show that there are vulnerable implementations which would allow cybercriminals to steal the users’ SMS OTP codes. The desirable equilibri-um between ease of use and security needs to be improved in order to maintain the high level of security which has traditionally characterized this sector. The proposed methodology, applied here to this particular sector (banking), is never-theless simple enough to be applied to any other sector. One of its advantages is that it proposes a method for detecting bad implementations of the SMS Retriever API on the server side, based analyses of the apps, which would make it easily applicable.
Version del Editor
Idioma
eng
Tipo de versión
info:eu-repo/semantics/submittedVersion
Derechos
openAccess
Aparece en las colecciones
Dateien zu dieser Ressource