Write a Blog >>
ICSE 2021
Mon 17 May - Sat 5 June 2021

A fundamental premise of SMS One-Time Password (OTP) is that the used pseudo-random numbers (PRNs) are uniquely unpredictable for each login session. Hence, the process of generating PRNs is inevitably the most critical step in the OTP authentication. An improper implementation of a pseudo-random number generator (PRNG) will result in predictable or even static OTP values, making them vulnerable to potential attacks. In this paper, we present a vulnerability study against PRNGs implemented for Android apps. A key challenge is that PRNGs are typically implemented on the server side, and thus the source code is not accessible. To resolve this issue, we build an analysis tool, OTP-Lint, to assess implementations of the PRNGs in an automated manner without the source code requirement. Through reverse engineering, OTP-Lint identifies the apps using SMS OTP and triggers the login functionality in each app to retrieve OTP values. It further assesses the randomness of the OTP values to identify vulnerable PRNGs. By analyzing 6,431 commercially used Android apps downloaded from Google Play and Tencent Myapp, OTP-Lint identified 399 vulnerable apps that generate predictable OTP values. Even worse, 194 vulnerable apps use the OTP authentication alone without any additional security mechanisms, leading to insecure authentication against guessing attacks and replay attacks.

Wed 26 May

Displayed time zone: Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna change

11:20 - 12:20
2.1.1. Vulnerabilities in Android #1Technical Track at Blended Sessions Room 1 +12h
Chair(s): Alessandra Gorla IMDEA Software Institute
11:20
20m
Paper
Fine with ``1234''? An Analysis of SMS One-Time Password Randomness in Android AppsTechnical Track
Technical Track
Siqi Ma the University of Queensland, Juanru Li Shanghai Jiao Tong University, hyoungshick kim Sungkyunkwan University, Elisa Bertino Purdue University, Surya Nepal Data61, CSIRO, Diet Ostry Data61, CSIRO, Cong Sun Xidian University
Pre-print Media Attached
11:40
20m
Paper
App's Auto-Login Function Security Testing via Android OS-Level VirtualizationTechnical Track
Technical Track
Wenna Song Wuhan University, Jiang Ming University of Texas at Arlington, Lin Jiang XDJA, Han Yan Wuhan University, Yi Xiang Wuhan University, Yuan Chen Wuhan University, Jianming Fu Wuhan University, Guojun Peng Wuhan University
Pre-print Media Attached
12:00
20m
Paper
ATVHunter: Reliable Version Detection of Third-Party Libraries for Vulnerability Identification in Android AppsACM SIGSOFT Distinguished PaperTechnical Track
Technical Track
Xian Zhan The Hong Kong Polytechnic University, Lingling Fan Nankai University, Sen Chen Tianjin University, Feng Wu Nanyang Technological University, Tianming Liu Monash Univerisity, Xiapu Luo The Hong Kong Polytechnic University, Yang Liu Nanyang Technological University
Pre-print Media Attached
23:20 - 00:20
2.1.1. Vulnerabilities in Android #1Technical Track at Blended Sessions Room 1
23:20
20m
Paper
Fine with ``1234''? An Analysis of SMS One-Time Password Randomness in Android AppsTechnical Track
Technical Track
Siqi Ma the University of Queensland, Juanru Li Shanghai Jiao Tong University, hyoungshick kim Sungkyunkwan University, Elisa Bertino Purdue University, Surya Nepal Data61, CSIRO, Diet Ostry Data61, CSIRO, Cong Sun Xidian University
Pre-print Media Attached
23:40
20m
Paper
App's Auto-Login Function Security Testing via Android OS-Level VirtualizationTechnical Track
Technical Track
Wenna Song Wuhan University, Jiang Ming University of Texas at Arlington, Lin Jiang XDJA, Han Yan Wuhan University, Yi Xiang Wuhan University, Yuan Chen Wuhan University, Jianming Fu Wuhan University, Guojun Peng Wuhan University
Pre-print Media Attached
00:00
20m
Paper
ATVHunter: Reliable Version Detection of Third-Party Libraries for Vulnerability Identification in Android AppsACM SIGSOFT Distinguished PaperTechnical Track
Technical Track
Xian Zhan The Hong Kong Polytechnic University, Lingling Fan Nankai University, Sen Chen Tianjin University, Feng Wu Nanyang Technological University, Tianming Liu Monash Univerisity, Xiapu Luo The Hong Kong Polytechnic University, Yang Liu Nanyang Technological University
Pre-print Media Attached