Usage of Text Messages for Authentication in Mobile Devices
We are studying how mobile applications currently use mobile messages to implement passwordless authentication schemes and the security implications of this choice.
Publications
- On the Insecurity of SMS One-Time Password Messages against Local Attackers in Modern Mobile Devices
Zeyu Lei, Yuhong Nan, Yanick Fratantonio, Antonio Bianchi
Proceedings of the Annual Network & Distributed System Security Symposium (NDSS), San Diego, California, USA
Feb. 2021.
Attack Demos
This is an end-to-end demo for our attack against the KakaoTalk app, which utilized the of the SMS Retriever API incorrectly.
This is an end-to-end demo for our attack against the Telegram app, which utilized the createAppSpecificToken API.
