Write a Blog >>
ICSE 2021
Mon 17 May - Sat 5 June 2021

A fundamental premise of SMS One-Time Password (OTP) is that the used pseudo-random numbers (PRNs) are uniquely unpredictable for each login session. Hence, the process of generating PRNs is inevitably the most critical step in the OTP authentication. An improper implementation of a pseudo-random number generator (PRNG) will result in predictable or even static OTP values, making them vulnerable to potential attacks. In this paper, we present a vulnerability study against PRNGs implemented for Android apps. A key challenge is that PRNGs are typically implemented on the server side, and thus the source code is not accessible. To resolve this issue, we build an analysis tool, OTP-Lint, to assess implementations of the PRNGs in an automated manner without the source code requirement. Through reverse engineering, OTP-Lint identifies the apps using SMS OTP and triggers the login functionality in each app to retrieve OTP values. It further assesses the randomness of the OTP values to identify vulnerable PRNGs. By analyzing 6,431 commercially used Android apps downloaded from Google Play and Tencent Myapp, OTP-Lint identified 399 vulnerable apps that generate predictable OTP values. Even worse, 194 vulnerable apps use the OTP authentication alone without any additional security mechanisms, leading to insecure authentication against guessing attacks and replay attacks.

Conference Day
Wed 26 May

Displayed time zone: Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna change

11:20 - 12:20
2.1.1. Vulnerabilities in Android #1Technical Track at Blended Sessions Room 1 +12h
Chair(s): Alessandra GorlaIMDEA Software Institute
11:20
20m
Paper
Fine with ``1234''? An Analysis of SMS One-Time Password Randomness in Android AppsTechnical Track
Technical Track
Siqi Mathe University of Queensland, Juanru LiShanghai Jiao Tong University, hyoungshick kimSungkyunkwan University, Elisa BertinoPurdue University, Surya NepalData61, CSIRO, Diet OstryData61, CSIRO, Cong SunXidian University
Pre-print Media Attached
11:40
20m
Paper
App's Auto-Login Function Security Testing via Android OS-Level VirtualizationTechnical Track
Technical Track
Wenna SongWuhan University, Jiang MingUniversity of Texas at Arlington, Lin JiangXDJA, Han YanWuhan University, Yi XiangWuhan University, Yuan ChenWuhan University, Jianming FuWuhan University, Guojun PengWuhan University
Pre-print Media Attached
12:00
20m
Paper
ATVHunter: Reliable Version Detection of Third-Party Libraries for Vulnerability Identification in Android AppsACM SIGSOFT Distinguished PaperTechnical Track
Technical Track
Xian ZhanThe Hong Kong Polytechnic University, Lingling FanNankai University, Sen ChenTianjin University, Feng WuNanyang Technological University, Tianming LiuMonash Univerisity, Xiapu LuoThe Hong Kong Polytechnic University, Yang LiuNanyang Technological University
Pre-print
23:20 - 00:20
2.1.1. Vulnerabilities in Android #1Technical Track at Blended Sessions Room 1
23:20
20m
Paper
Fine with ``1234''? An Analysis of SMS One-Time Password Randomness in Android AppsTechnical Track
Technical Track
Siqi Mathe University of Queensland, Juanru LiShanghai Jiao Tong University, hyoungshick kimSungkyunkwan University, Elisa BertinoPurdue University, Surya NepalData61, CSIRO, Diet OstryData61, CSIRO, Cong SunXidian University
Pre-print Media Attached
23:40
20m
Paper
App's Auto-Login Function Security Testing via Android OS-Level VirtualizationTechnical Track
Technical Track
Wenna SongWuhan University, Jiang MingUniversity of Texas at Arlington, Lin JiangXDJA, Han YanWuhan University, Yi XiangWuhan University, Yuan ChenWuhan University, Jianming FuWuhan University, Guojun PengWuhan University
Pre-print Media Attached
00:00
20m
Paper
ATVHunter: Reliable Version Detection of Third-Party Libraries for Vulnerability Identification in Android AppsACM SIGSOFT Distinguished PaperTechnical Track
Technical Track
Xian ZhanThe Hong Kong Polytechnic University, Lingling FanNankai University, Sen ChenTianjin University, Feng WuNanyang Technological University, Tianming LiuMonash Univerisity, Xiapu LuoThe Hong Kong Polytechnic University, Yang LiuNanyang Technological University
Pre-print