Fine with “1234”? An Analysis of SMS One-Time Password Randomness in Android Apps

摘要: A fundamental premise of SMS One-Time Password (OTP) is that the used pseudo-random numbers (PRNs) are uniquely unpredictable for each login session. Hence, process generating PRNs most critical step in OTP authentication. An improper implementation number generator (PRNG) will result predictable or even static values, making them vulnerable to potential attacks. In this paper, we present a vulnerability study against PRNGs implemented Android apps. key challenge typically on server-side, and thus source code not accessible. To resolve issue, build an analysis tool, \sysname, assess implementations automated manner without requirement. Through reverse engineering, \sysname identifies apps using triggers app's functionality retrieve values. It further assesses randomness values identify PRNGs. By analyzing 6,431 commercially downloaded from \tool{Google Play} \tool{Tencent Myapp}, identified 399 generate Even worse, 194 use authentication alone any additional security mechanisms, leading insecure guessing attacks replay