8

many Android mobile applications (e.g., Whatsapp, Telegram), when used for the first time on a device, "authenticate" users by sending them a secret code in a SMS message.

The same mechanism is used to allow users to re-login in their accounts if they change device or reinstall the app (as far as they are still using a SIM card with the original phone number).

I assume this mechanism is used to allow a "user-friendly" password-less authentication.

I was wondering up to which extent this mechanism can be considered "secure".

In particular, a malicious app installed on the victim's device can easily:

  • communicate with the app's backend asking to login into a previously created account
  • receive the authentication sms and read its content
  • use the received code to (silently) login into the victim's account

Is there any way to defend from this kind of attacks?

Improve this question
3
  • This is a variation of one of the three classic authentication methods, "what you bring". The classic method to strengthen authentication is to use multi factor authentication. Typically this is implemented as an Out Of Band communication, and the message is typically a One Time Password. This means that the user would notice the code doesn't work when they try to use it, that takes care of Eve.
    – Aron
    Commented Feb 2, 2015 at 4:38
  • Finally. The way WhatsApp ensures that only their app is connected? They only allow one registered device per number (or app installation). If a malicious app intercepted the registration it would either deactivate the real app, or be deactivated by the real app.
    – Aron
    Commented Feb 2, 2015 at 4:52
  • Also, maybe the code they send you is paired with a code your device generates and stores locally, so an attacker might not even be able to use it anyway. So it's probably safe for the initial signup, but something besides SMS should be used for authorizing new devices afterwards (do they do that?).
    – sudo
    Commented May 9, 2018 at 1:34

1 Answer 1

Reset to default
4

It is usually a mistake to think of security as either it is or it isn't. You really need to do a basic risk assessment. As a comparison, ask the question "Is my house secure?" The answer to this question is not yes or no. It really depends on factors like where your house is located i.e. 30 miles from the nearest town is possibly safer than in a suburb with a high level of crime or burglaries. for my house in the country, I might have just standard locks, but for my house in the city, I might have high quality deadbolt locks, alarms, a guard dog etc. If on the other hand, I collect valuable art work and keep it in my country house and I just use my town hose as a crash pad for when I'm in town, I might invest in alarms and dogs for my country house and not really worry about the town hose as there isn't much value there and even if someone does break in, it probably won't have much impact to me.

the other point to consider is that if someone really wants to break into my house, I probably won't be able to stop them. All I can really do is make the cost of breaking in for the thief higher than the reward/value they will obtain.

The same ideas apply with respect to the use of SMS for verification etc. There are numerous reports of people having their Google mail account hacked despite using Google's two step verification (which includes an SMS code). See for example http://gizmodo.com/how-hackers-reportedly-side-stepped-gmails-two-factor-a-1653631338 In addition to the risk of a malicious app on your phone stealing that information (there are numerous reports of banking malware which does this), there is also the risk that someone will hack your service provider and redirect your number to their phone. This is why most of the better systems don't rely only on the SMS. Often the SMS is just one bit of information which is required to gain access.

However, just like the house example, whether it is secure really depends on evaluating the risks. For example, I use an app which records todo items, bookmarks and other notes. It uses SMS as a way to recover my account should I forget my password or whenever I access it from a new device. Is this secure? For me, it is secure enough. If someone was to redirect my phone and get my SMS code and access the site, so what? They get access to my todo list and SMS messages. Most likely, it would just be an inconvenience. However, if my bank just used an SMS code to authenticate me, I would probably switch banks because this would be a much higher risk.

So, in general, SMS on its own as a form of authentication is not great, but may be sufficient for some things and is definitely not sufficient for others. If it is only part of the authentication process and requires additional information, that is probably better, but for some applications, may be a little excessive. Essentially, you need to evaluate its use in context and be wary of sweeping statements that say it is or isn't secure.

Improve this answer
1
  • I agree on what have been said above and, make it shortly, I wouldn't rely on SMS only authentication. Of course, if we're talking about social media or messanger apps, it can be enough to guarantee a layer of security. For business application or when data integrity and IDM come to play, I would definitely go for other solutions.
    – Andrea V
    Commented Feb 6, 2015 at 0:07

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .