SafeUM
Home Blog Services Download Help About Recharge

Axarhöfði 14, 110 Reykjavik, Iceland

Iceland - 2015
SafeUM
Blog
Services
Download
Help
About
Recharge
Menu
Archive
TOP Security!
11 Apr 2016

Academics claim Google Android two-factor authentication is breakable

Computer security researchers warn security shortcomings in Android/Playstore undermine the security offered by all SMS-based two-factor authentication (2FA).

The issue - first reported to Google more than a year ago - revolves around an alleged security weakness rather than a straightforward software vulnerability. The BAndroid vulnerability was presented at the Android Security Symposium in Vienna last September by Victor van der Even of Vrije Universiteit, Amsterdam.

In the BAndroid microsite (featuring a video and FAQ), the Dutch researchers explain the cause and scope of the alleged vulnerability. If attackers have control over the browser on the PC of a user using Google services (like Gmail, Google+, etc.), they can push any app with any permission on any of the user's Android devices, and activate it - allowing one to bypass 2-factor authentication via the phone. Moreover, the installation can be stealthy (without any icon appearing on the screen). For short, we refer to the vulnerability as the BAndroid (Browser-to-Android) vulnerability and to attacks that abuse it as BAndroid attacks.

A paper about the issue was published at the Financial Crypto conference back in February. A research paper looking at the wider issues of phone-based 2FA, How Anywhere Computing Just Killed Your Phone-Based Two-Factor Authentication on can be found here (PDF). In the paper, the researchers argue that Apple's Continuity feature that brings iOS and Mac OS X devices closer together is equally dangerous.

In the paper, the Dutch researchers, Radhesh Krishnan Konoth and Victor van der Even, argue that the “process of integrating apps among multiple platforms essentially removes the gap between them”, which is important for security.

The ongoing integration and desire for increased usability results in violation of key principles for mobile phone 2FA. As a result, we identify a new class of vulnerabilities dubbed 2FA synchronization vulnerabilities. To support our findings, we present practical attacks against Android and iOS that illustrate how a Man-in-the-Browser attack can be elevated to intercept One-Time Passwords sent to the mobile phone and thus bypass the chain of 2FA mechanisms as used by many financial services.

Herbert Bos, professor of systems and security at Vrije Universiteit Amsterdam, who co-authored the mobile security paper with the two PhD students, stated that the researchers responsibly disclosed the security vulnerability to Google more than a year ago but claims that the tech giant “still refuses to fix it”. “Some people seem to think that if your web browser is compromised, it is game over anyway,” Bos told.

“But really, this is why we have 2FA to begin with.” Security problem in Android/Play store kills the security offered by all SMS-based two factor authentication (as used by many banks, governments, and, interestingly, Google itself). Google does not want to fix it (it is part of the design), but really, it should,” he added. Google has yet to respond to repeated requests for comment on the issue.

Tags:
Android iOS information leaks
Source:
The Register
2113
Other NEWS
3 Jul 2020 safeum news imgage An encrypted messaging service has been infiltrated by police
4 May 2020 safeum news imgage Two-Factor Authentication ​What Is It and Why You Should Use It
12 Dec 2019 safeum news imgage Encryption is under threat - this is how it affects you
4 Nov 2019 safeum news imgage Should Big Decisions Be Based on Data or Your Intuition?
7 Jun 2018 safeum news imgage VPNFilter malware infecting 500,000 devices is worse than we thought
4 Jun 2018 safeum news imgage Hackers target Booking.com in criminal bid to steal hundreds of thousands from customers
1 Jun 2018 safeum news imgage Operator of World's Top Internet Hub Sues German Spy Agency
30 May 2018 safeum news imgage US says North Korea behind malware attacks
29 May 2018 safeum news imgage Facebook and Google targeted as first GDPR complaints filed
25 May 2018 safeum news imgage A new reason to not buy these cheap Android devices
24 May 2018 safeum news imgage Flaws in smart pet devices, apps could come back to bite owners
23 May 2018 safeum news imgage Google sued for 'clandestine tracking' of 4.4m UK iPhone users' browsing data
21 May 2018 safeum news imgage LocationSmart reportedly leaked phone location data onto the web
18 May 2018 safeum news imgage The SEC created its own scammy ICO to teach investors a lesson
17 May 2018 safeum news imgage Thieves suck millions out of Mexican banks in transfer heist
All news
SafeUM
Confidential Terms of Use Our technologies Company
Follow us
Download
SafeUM © Safe Universal Messenger

Axarhöfði 14,
110 Reykjavik, Iceland

Iceland - 2015