Usage of Text Messages for Authentication in Mobile Devices

We are studying how mobile applications currently use mobile messages to implement passwordless authentication schemes and the security implications of this choice.

Publications

• On the Insecurity of SMS One-Time Password Messages against Local Attackers in Modern Mobile Devices
  Zeyu Lei, Yuhong Nan, Yanick Fratantonio, Antonio Bianchi
  Proceedings of the Annual Network & Distributed System Security Symposium (NDSS), San Diego, California, USA
  Feb. 2021.

Attack Demos

This is an end-to-end demo for our attack against the KakaoTalk app, which utilized the of the SMS Retriever API incorrectly.

This is an end-to-end demo for our attack against the Telegram app, which utilized the createAppSpecificToken API.

People

Antonio Bianchi

Zeyu Lei

Yuhong Nan

Associate Professor at Sun Yat-sen University