Academics claim Google Android two-factor authentication is breakable

Play store issues impact SMS verification, they allege

By John Leyden

Posted in Security, 8th April 2016 11:35 GMT

Computer security researchers warn security shortcomings in Android/Playstore undermine the security offered by all SMS-based two-factor authentication (2FA).

The issue - first reported to Google more than a year ago - revolves around an alleged security weakness rather than a straightforward software vulnerability. The BAndroid vulnerability was presented at the Android Security Symposium in Vienna last September by Victor van der Veen of Vrije Universiteit, Amsterdam. In the BAndroid microsite (featuring a video and FAQ), the Dutch researchers explain the cause and scope of the alleged vulnerability.

If attackers have control over the browser on the PC of a user using Google services (like Gmail, Google+, etc.), they can push any app with any permission on any of the user's Android devices, and activate it - allowing one to bypass 2-factor authentication via the phone. Moreover, the installation can be stealthy (without any icon appearing on the screen). For short, we refer to the vulnerability as the BAndroid (Browser-to-Android) vulnerability and to attacks that abuse it as BAndroid attacks.

A paper about the issue was published at the Financial Crypto conference back in February. A research paper looking at the wider issues of phone-based 2FA, How Anywhere Computing Just Killed Your Phone-Based Two-Factor Authentication on can be found here (PDF). In the paper, the researchers argue that Apple's Continuity feature that brings iOS and Mac OS X devices closer together is equally dangerous.

In the paper, the Dutch researchers, Radhesh Krishnan Konoth and Victor van der Veen, argue that the “process of integrating apps among multiple platforms essentially removes the gap between them”, which is important for security.

The ongoing integration and desire for increased usability results in violation of key principles for mobile phone 2FA. As a result, we identify a new class of vulnerabilities dubbed 2FA synchronization vulnerabilities. To support our findings, we present practical attacks against Android and iOS that illustrate how a Man-in-the-Browser attack can be elevated to intercept One-Time Passwords sent to the mobile phone and thus bypass the chain of 2FA mechanisms as used by many financial services.

Herbert Bos, professor of systems and security at Vrije Universiteit Amsterdam, who co-authored the mobile security paper with the two PhD students, stated that the researchers responsibly disclosed the security vulnerability to Google more than a year ago but claims that the tech giant “still refuses to fix it”.

“Some people seem to think that if your web browser is compromised, it is game over anyway,” Bos told El Reg. “But really, this is why we have 2FA to begin with.”

“Security problem in Android/Play store kills the security offered by all SMS-based two factor authentication (as used by many banks, governments, and, interestingly, Google itself). Google does not want to fix it (it is part of the design), but really, it should,” he added.

Google has yet to respond to repeated requests for comment on the issue from El Reg’s security desk. We’ll update this story as and when we hear more. ®

Sign up to our NewsletterGet IT in your inbox daily

15 Comments

More from The Register

Google's PHP API client has XSS vulnerability

Patch promised

Paranoid Android: Antivirus app-makers resolve MitM vulnerability

Attack loophole in Panda app sealed

VMware's GM for networking and security jumps to Google

Veteran Jeff Jennings to get the band back together with VMware founder Diane Greene

Google gives mobile operators a reason to love it, and opens rich chat up for business

Spam and adverts? You bet

Mac OS IM tool Adium lagging on library security vulnerability

libpurple is a 'binary blob of unknown provenance' says researcher

Mobile point of sale gets a PCI security standard

Because crooks salivate when you punch a PIN into a smartmobe at a market stall

Hackers' delight: Mobile bank app security flaw could have smacked millions

Certificate pinning unpicked

Google Flutter hits beta: Another go at cross-platform mobile dev

MWC2018 Using the Dart language for apps on Android and iOS

Google to add extra Gmail security … by building a walled garden

Comment Wants to make money and ignore end-to-end encryption

Internet of insecure Things: Software still riddled with security holes

Which means devices could be pwned by crooks