Security Analysis of Mobile Authenticator Applications

Can Ozkan, Kemal Bicakci

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

10 Citations (Scopus)

Abstract

Deploying Two-Factor Authentication (2FA) is one of the highly-recommended security mechanism against account hijacking attacks. One of the common methods for 2FA is to bring something you know and something you have factors together. For the latter we have options including USB sticks, smart cards, SMS verification, and one-time password values generated by mobile applications (soft OTP). Due to the cost and convenience reasons, deploying 2FA via soft OTPs is more common. However, unlike smart cards which have tamper resistance property, attackers can access smartphones remotely or physically so that they can fetch shared secret seed value - an important security risk for mobile authenticators. For this reason, it is critical to analyze mobile authenticator applications in this context. In this paper, we report our findings after analyzing eleven different Android authenticator applications. We report that we have fetched cleartext shared secret seed value from storage in five applications and from memory in seven applications using standard reverse engineering techniques and open-source tools.

Original languageEnglish
Title of host publication2020 International Conference on Information Security and Cryptology, ISCTURKEY 2020 - Proceedings
EditorsSeref Sagiroglu, Sedat Akleylek, Ferruh Ozbudak, Yavuz Canbay
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages18-30
Number of pages13
ISBN (Electronic)9781665418638
DOIs
Publication statusPublished - 3 Dec 2020
Externally publishedYes
Event13th International Conference on Information Security and Cryptology, ISCTURKEY 2020 - Virtual, Ankara, Turkey
Duration: 3 Dec 20204 Dec 2020

Publication series

Name2020 International Conference on Information Security and Cryptology, ISCTURKEY 2020 - Proceedings

Conference

Conference13th International Conference on Information Security and Cryptology, ISCTURKEY 2020
Country/TerritoryTurkey
CityVirtual, Ankara
Period3/12/204/12/20

Bibliographical note

Publisher Copyright:
© 2020 IEEE.

Keywords

  • Android
  • Android Key Store
  • Authentication
  • Cryptographic Controls
  • Mobile Authenticator
  • Mobile Security
  • Obfuscation
  • ProGuard
  • Reverse Engineering
  • Two Factor Authentication

Fingerprint

Dive into the research topics of 'Security Analysis of Mobile Authenticator Applications'. Together they form a unique fingerprint.

Cite this