Fine with “1234”? an Analysis of SMS One-Time Password Randomness in Android Apps
Total Page:16
File Type:pdf, Size:1020Kb
2021 IEEE/ACM 43rd International Conference on Software Engineering (ICSE) Fine with “1234”? An Analysis of SMS One-Time Password Randomness in Android Apps Siqi Ma1, Juanru Li2, Hyoungshick Kim3, Elisa Bertino4, Surya Nepal5, Diethelm Ostry5, and Cong Sun6 1 The University of Queensland, [email protected] 2 Shanghai Jiao Tong University, [email protected] 3 Sungkyunwan University, [email protected] 4 Purdue University, [email protected] 5 Data61 CSIRO, fsurya.nepal, [email protected] 6 Xidian University, [email protected] Abstract—A fundamental premise of SMS One-Time Pass- however, these studies seldom analyze PRNG implementations word (OTP) is that the used pseudo-random numbers (PRNs) in apps. The techniques proposed for assessing the PRNG are uniquely unpredictable for each login session. Hence, the implementations mainly focus on open-source systems (e.g., process of generating PRNs is the most critical step in the OTP authentication. An improper implementation of the pseudo- Linux [8], OpenSSL [9]). However, these techniques rely on random number generator (PRNG) will result in predictable or code analysis and thus cannot be applied to analyze PRNGs even static OTP values, making them vulnerable to potential of Android apps. This paper focuses on the following two attacks. In this paper, we present a vulnerability study against goals: 1) exploring security vulnerabilities in SMS OTP values PRNGs implemented for Android apps. A key challenge is that generated by Android apps; 2) gaining insights into potential PRNGs are typically implemented on the server-side, and thus the source code is not accessible. To resolve this issue, we build an implementation issues of PRNGs used by these vulnerable analysis tool, OTP-Lint, to assess implementations of the PRNGs apps, without accessing the source code of the PRNGs. in an automated manner without the source code requirement. Towards fulfilling our goals, we first study the algorithms Through reverse engineering, OTP-Lint identifies the apps using and functions for generating PRNs to understand what types SMS OTP and triggers each app’s login functionality to retrieve of vulnerabilities may occur in PRNGs. Next, based on the OTP values. It further assesses the randomness of the OTP values to identify vulnerable PRNGs. By analyzing 6,431 commercially official RFC documents [10], [11], [12], [13] and research used Android apps downloaded from Google Play and Tencent work [14], [15], [16], we introduce three critical randomness Myapp, OTP-Lint identified 399 vulnerable apps that generate rules: Rule 1 – Do not use a static OTP value; Rule 2 – predictable OTP values. Even worse, 194 vulnerable apps use Do not generate OTP values according to specific patterns; the OTP authentication alone without any additional security Rule 3 – Do not use a constant or predictable seed to mechanisms, leading to insecure authentication against guessing attacks and replay attacks. initialize a randomness function (Section III-3). If the OTP Index Terms—OTP Authentication Protocol; Mobile Applica- values generated for user authentication violate any of the tion Security; Pseudo-Random Number Generator; Vulnerability randomness rules, those OTP values can be predicted, and Detection; Randomness Evaluation thus the authentication scheme can eventually be cracked. We develop a novel analysis tool, OTP-Lint, to assess I. INTRODUCTION the randomness of OTP values and analyze the potential SMS One-Time Password (OTP) is widely used for authen- implementation vulnerabilities of the corresponding PRNGs tication and authorization in Android apps [1], which employs without having access to the PRNG source code. OTP-Lint a uniquely generated pseudo-random number (PRN) for each first identifies the login Activity declared in each app using login session to verify each user’s identity. A pseudo-random a fuzzing-inspired approach. It then recognizes those apps number generator (PRNG) is commonly used to generate which use SMS OTP authentication through keyword match- unpredictable OTP values. Some cryptographically insecure ing. By locating the OTP login widgets, OTP-Lint triggers randomness algorithms, such as Mersenne Twister (MT) [2] the relevant app functionalities and sends OTP requests to and Linear Congruential Generator (LCG) [3], have been used the app server to retrieve OTP values. Finally, OTP-Lint in practice. A PRNG using any of these insecure randomness evaluates whether the gathered OTP values violate any of algorithms would generate highly predictable OTP values. the three introduced randomness rules. A major challenge Even though the utilized randomness algorithm is secure, the in the vulnerability analysis of OTP values is to determine generated PRNs may still be problematic if the algorithm is not which algorithm and function are used to generate PRNs implemented correctly (e.g., seeding the randomness algorithm and which parameters they are given as input. To address by using a constant) [4], [5]. this challenge, we collected PRNG sample codes written in Many studies [6], [7] have been proposed to analyze the diverse programming languages shared by app developers on security of pseudo-random number generating algorithms; GitHub [17] and Stack Overflow [18] to learn the popular 1558-1225/21/$31.00 ©2021 IEEE 1671 DOI 10.1109/ICSE43902.2021.00148 approaches for implementing PRNGs. mod m (0 < j < p) [14], where ⊗ is any binary function such We used OTP-Lint to analyze 6,431 real-world Android as addition, subtraction, multiplication, or even the bitwise apps, downloaded from both Google Play and Tencent MyApp XOR. LFib thus requires an initial sequence and two seeds to markets (1,000 from Google Play and 5,431 from Tencent begin. However, such algorithms using two seeds can be vul- MyApp). Out of these apps, OTP-Lint successfully detected nerable to birthday attacks [3]. Alternatively, therefore, three that 2,022 apps implemented SMS OTP login, and 399 seeds are recommended to be used according to the expression (19.7%) of these violated the defined randomness rules. Our Sk = Sn−q ⊗ Sn−j ⊗ Sn−p mod m (0 < q < j < p). In results demonstrate that a significant number of Android apps addition, the initial sequence of LFib should contain at least would be at real risk of cyber-attacks exploiting such OTP one odd number; otherwise, the generated PRNs would be all login functions. even. However, even if these issues are addressed, LFib is We believe that OTP-Lint would help service providers still not cryptographically secure because it is represented as and users test whether the OTP authentication in Android apps a linear recursion. is securely implemented and highlight potential security issues Mersenne Twister (MT). MT [6] is another popular algo- without accessing PRNG source code. Our main contributions rithm. MT does not use any arithmetic operations (i.e., +, ×, are as follows: −, ÷) but is based on a group of permutation and tempering • Through an examination of the official RFC documents operations with shifts (<< and >>), AND (&), OR (jj), and and research works, we provide insights into potential XOR(⊕). Since MT is based on a linear recursion, it is not implementation issues in vulnerable PRNGs and propose cryptographically secure [2]. One can determine the internal three types of randomness rules that must be followed for state of the algorithm once a sufficiently long sub-sequence of implementing secure PRNGs. outputs is observed. The most common implementation of MT • To the best of our knowledge, this is the first random- is MT19937, in which only 624 distinct outputs can be used ness study of OTP values generated by PRNGs used in to derive all the internal state variables of the PRNG [20]. Android apps. Without knowing the detailed implementa- Well Equidistributed Long-period Linear (WELL). Similar tions of PRNGs, we infer the potential vulnerabilities that to the MT algorithm, WELL is also a form of linear feedback might exist in the PRNGs through OTP value analysis. shift register using simple bitwise operations. A seed value is • We build a novel analysis tool, OTP-Lint. By trigger- required to start the generation process. With only a slightly ing OTP authentication in apps, OTP-Lint simulates higher time cost, WELL obtains better equidistribution than the most common vulnerable PRNG implementations MT [15]. WELL512, with a state size of 512 bits, is a for OTP randomness analysis and checks whether the widely used version. Its generated outputs are only selected generated OTP values are vulnerable. within the restricted state instead of unbounded dynamic • We used OTP-Lint to analyze 6,431 Android apps and memory allocation. The period length of the generated PRNs detected 399 apps that produce predictable OTP values. is approximately 2512. At first glance, the use of WELL512 Interestingly, 194 vulnerable apps use the OTP authenti- is sufficiently secure for OTP generation. However, when the cation alone without any additional security mechanisms, same seed is used, WELL512 also becomes vulnerable [21]. leading to insecure authentication against guessing at- B. Randomness Functions tacks and replay attacks. Most programming languages provide the functions for II. ANALYSIS OF RANDOMNESS WEAKNESSES generating PRNs by default. Instead of analyzing all of them, We discuss the widely used randomness algorithms and we only consider the most common ones — C/C++, Python, present the randomness functions in programming languages PHP, Java, and JavaScript [22]. We introduce the randomness that can be used for Android apps. functions that are frequently used to generate PRNs and discuss each function’s security issues. A. Randomness Algorithms 1) C/C++: Many PRNG functions are provided in the C Linear Congruential Generator (LCG). LCG is one of library. Two primary functions are listed below. the most popularly used algorithms that generate a sequence rand(): This function is a C standard built-in generator. To of pseudo-random numbers (PRNs), using a discontinuous ensure that the sequence of PRNs is unpredictable, srand(·) linear equation.