Defeating the Secrets of OTP Apps for Android

Despite the increasing number of cases of data theft (such as Equifax), the classic password is still in many places the sole security feature for user authentication.

However, numerous possibilities for extending this now anachronistic form of access control already exist. One such option is the use of one-time passwords (OTP). These passwords are increasingly used for additional authentication (in addition to user name and password) of the respective user to service providers on the Internet and the applications that generate these are therefore referred to as so-called two-factor authentication apps (2FA apps).

The paper of Philip Polleit and myself investigates 16 such 2FA apps for the Android operating system and focuses on the extent to which these applications can offer a similar level of protection when compared to classical hardware tokens (e.g., YubiKey, SecurID-Authenticator). The paper was presented at this years IMF conference in Hamburg.

In an overall assessment, it turned out that many of the apps examined resembled each other. They are often more or less direct derivatives of the Google Authenticator. This was often already evident from the directory structure and the use of the databases-file to store the shared secrets. Apps varied in terms of encryption used. While many did not encode, or only by different notation forms (bytecode), other apps used external libraries to implement the encryption. Even if the encryption was based on hardcoded keys – as shown by Latch – most of the used encryption proved to be solid. The same applies for most of the transmitted data between 2FA app and backend systems. The only negative example was again the app Latch that sends the user credentials in plaintext within the SSL connection.

The following table provides an overview of the survey results for all examined 2FA applications (X = Yes, O = No, – = unwanted behavior, + = wanted behavior):

2FA App Name Cloning Possible Encrypted Secret Device Integrity Check PIN Protection Secure SSL-Connection Secure OTP-Push
Google Authenticator X- O- O- O- N/A N/A
Microsoft Authenticator X- O- O- O- X+ O-
Authy 2-Factor Authentification O+ O- O- X+ X+ N/A
DUO Mobile X- O- X+ O- X+ X+
FreeOTP X- O- O- O- N/A N/A
Sophos Authenticator X- O- O- O- N/A N/A
Push Authenticator X- O- O- O- N/A N/A
OTP Authenticator O+ O- O- O- N/A N/A
Yandex.Key O+ X+ O- X+ N/A N/A
Symantec VIP Access O+ X+ O- O- X+ X+
2FA Token X- O- O- O- N/A N/A
Launchkey X- N/A O- X+ X+ N/A
CyAuth Cylocklite X- X+ O- O- X+ N/A
Topicus KeyHub X- O- O- O- X+ N/A
Latch O+ X+ O- O- O- N/A
Okta Verify O+ X+ O- O- X+ N/A

2 Replies to “Defeating the Secrets of OTP Apps for Android”

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.