Visible to the public SIMulation: Demystifying (Insecure) Cellular Network based One-Tap Authentication Services

TitleSIMulation: Demystifying (Insecure) Cellular Network based One-Tap Authentication Services
Publication TypeConference Paper
Year of Publication2022
AuthorsZhou, Ziyi, Han, Xing, Chen, Zeyuan, Nan, Yuhong, Li, Juanru, Gu, Dawu
Conference Name2022 52nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)
Date Publishedjun
Keywordsauthentication, cellular network, Cellular networks, compositionality, fault diagnosis, human factors, iOS Security, Malware, Metrics, mobile network operator, mobile security, passwords, Pipelines, pubcrawl, Registers, resilience, Resiliency, security, SIM card based authentication
AbstractA recently emerged cellular network based One-Tap Authentication (OTAuth) scheme allows app users to quickly sign up or log in to their accounts conveniently: Mobile Network Operator (MNO) provided tokens instead of user passwords are used as identity credentials. After conducting a first in-depth security analysis, however, we have revealed several fundamental design flaws among popular OTAuth services, which allow an adversary to easily (1) perform unauthorized login and register new accounts as the victim, (2) illegally obtain identities of victims, and (3) interfere OTAuth services of legitimate apps. To further evaluate the impact of our identified issues, we propose a pipeline that integrates both static and dynamic analysis. We examined 1,025/894 Android/iOS apps, each app holding more than 100 million installations. We confirmed 396/398 Android/iOS apps are affected. Our research systematically reveals the threats against OTAuth services. Finally, we provide suggestions on how to mitigate these threats accordingly.
NotesISSN: 2158-3927
DOI10.1109/DSN53405.2022.00059
Citation Keyzhou_simulation_2022