Amador Aparicio scite author profile

Amador Aparicio

3Publications

0Citation Statements Received

11Citation Statements Given

How they've been cited

How they cite others

Affiliations

University of Valladolid

Publications

Order By: Most citations

Vulnerabilities of the SMS Retriever API for the Automatic Verification of SMS OTP Codes in the Banking Sector

Aparicio

Martinez

Cardeñoso

2022

View full text Add to dashboard Cite

One of the ways to authenticate users of mobile devices is by sending One Time Password (OTP) codes via SMS messages. In order to facilitate the use of these codes by customers, Google has proposed APIs that allow the automatic verification of the SMS messages without the intervention of the users themselves. One of these APIs is the SMS Retriever API for Android devices. This article presents a study of this API. Different scenarios of interaction between mobile apps and SMS OTP servers are posed to determine which implementations of the SMS Retriever API are vulnerable. The study presented here focuses on Spain's banking sector. The results show that there are vulnerable implementations which would allow cybercriminals to steal the users' SMS OTP codes. The desirable equilibrium between ease of use and security needs to be improved in order to maintain the high level of security which has traditionally characterized this sector. The proposed methodology, applied here to this particular sector (banking), is nevertheless simple enough to be applied to any other sector. One of its advantages is that it proposes a method for detecting bad implementations of the SMS Retriever API on the server side, based analyses of the apps, which would make it easily applicable.

show abstract

Métrica basada en grupos de permisos para entender el impacto de las aplicaciones Android sobre la privacidad

Aparicio

González

Cardeñoso

2022

View full text Add to dashboard Cite

App-based detection of vulnerable implementations of OTP SMS APIs in the banking sector

Aparicio¹,

González²,

Cardeñoso-Payo³

2023

Wireless Netw

View full text Add to dashboard Cite

Two Factor Authentication (2FA) using One Time Password (OTP) codes via SMS messages is widely used. In order to improve user experience, Google has proposed APIs that allow the automatic verification of the SMS messages without the intervention of the users themselves. They reduce the risks of user error, but they also have vulnerabilities. One of these APIs is the SMS Retriever API for Android devices. This article presents a method to study the vulnerabilities of these OTP exchange APIs in a given sector. The most popular API in the sector is selected, and different scenarios of interaction between mobile apps and SMS OTP servers are posed to determine which implementations are vulnerable. The proposed methodology, applied here to the banking sector, is nevertheless simple enough to be applied to any other sector, or to other SMS OTP APIs. One of its advantages is that it proposes a method for detecting bad implementations on the server side, based on analyses of the apps, which boosts reusability and replicability, while offering a guide to developers to prevent errors that cause vulnerabilities. Our study focuses on Spain’s banking sector, in which the SMS Retriever API is the most popular. The results suggest that there are vulnerable implementations which would allow cybercriminals to steal the users SMS OTP codes. This suggests that a revision of the equilibrium between ease of use and security would apply in order to maintain the high level of security which has traditionally characterized this sector.

show abstract

scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.

Contact Info

customersupport@researchsolutions.com

10624 S. Eastern Ave., Ste. A-614

Henderson, NV 89052, USA

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Blog Terms and Conditions API Terms Privacy Policy Contact Cookie Preferences Do Not Sell or Share My Personal Information

Made with 💙 for researchers

Part of the Research Solutions Family.

Amador Aparicio

Vulnerabilities of the SMS Retriever API for the Automatic Verification of SMS OTP Codes in the Banking Sector

Métrica basada en grupos de permisos para entender el impacto de las aplicaciones Android sobre la privacidad

App-based detection of vulnerable implementations of OTP SMS APIs in the banking sector

Contact Info

Product

Resources

About