Academics claim Google Android two-factor authentication is breakable

Play store issues impact SMS verification, they allege

By John Leyden


Computer security researchers warn security shortcomings in Android/Playstore undermine the security offered by all SMS-based two-factor authentication (2FA).

The issue - first reported to Google more than a year ago - revolves around an alleged security weakness rather than a straightforward software vulnerability. The BAndroid vulnerability was presented at the Android Security Symposium in Vienna last September by Victor van der Veen of Vrije Universiteit, Amsterdam. In the BAndroid microsite (featuring a video and FAQ), the Dutch researchers explain the cause and scope of the alleged vulnerability.

If attackers have control over the browser on the PC of a user using Google services (like Gmail, Google+, etc.), they can push any app with any permission on any of the user's Android devices, and activate it - allowing one to bypass 2-factor authentication via the phone. Moreover, the installation can be stealthy (without any icon appearing on the screen). For short, we refer to the vulnerability as the BAndroid (Browser-to-Android) vulnerability and to attacks that abuse it as BAndroid attacks.

A paper about the issue was published at the Financial Crypto conference back in February. A research paper looking at the wider issues of phone-based 2FA, How Anywhere Computing Just Killed Your Phone-Based Two-Factor Authentication on can be found here (PDF). In the paper, the researchers argue that Apple's Continuity feature that brings iOS and Mac OS X devices closer together is equally dangerous.

In the paper, the Dutch researchers, Radhesh Krishnan Konoth and Victor van der Veen, argue that the “process of integrating apps among multiple platforms essentially removes the gap between them”, which is important for security.

The ongoing integration and desire for increased usability results in violation of key principles for mobile phone 2FA. As a result, we identify a new class of vulnerabilities dubbed 2FA synchronization vulnerabilities. To support our findings, we present practical attacks against Android and iOS that illustrate how a Man-in-the-Browser attack can be elevated to intercept One-Time Passwords sent to the mobile phone and thus bypass the chain of 2FA mechanisms as used by many financial services.

Herbert Bos, professor of systems and security at Vrije Universiteit Amsterdam, who co-authored the mobile security paper with the two PhD students, stated that the researchers responsibly disclosed the security vulnerability to Google more than a year ago but claims that the tech giant “still refuses to fix it”.

“Some people seem to think that if your web browser is compromised, it is game over anyway,” Bos told El Reg. “But really, this is why we have 2FA to begin with.”

“Security problem in Android/Play store kills the security offered by all SMS-based two factor authentication (as used by many banks, governments, and, interestingly, Google itself). Google does not want to fix it (it is part of the design), but really, it should,” he added.

Google has yet to respond to repeated requests for comment on the issue from El Reg’s security desk. We’ll update this story as and when we hear more. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Git security vulnerability could lead to an attack of the (repo) clones

Best git patching y'all

Yubico snatched my login token vulnerability to claim a $5k Google bug bounty, says bloke

USB gizmo biz apologies amid infosec drama

SoftNAS no longer a soft touch for hackers (for now)... Remote-hijacking vulnerability patched

Your files are someone else's files, too, thanks to storage bug

Don't fear 1337 exploits. Sloppy mobile, phishing defenses a much bigger corp IT security threat

AppSec EU DARPA-funded white hat emits timeless advice

No way, RSA! Security conference's mobile app embarrassingly insecure

Sorry about the hard-coded passwords, can we sell you some crypto now?

Apache Hadoop spins cracking code injection vulnerability YARN

Loose .zips sink chips 2: Electric Boogaloo

Google's PHP API client has XSS vulnerability

Patch promised

Google releases lite PC-snooper, 'cos full mobile management is hard

‘Endpoint Verification’ extension reports basics of devices’ security posture

Paranoid Android: Antivirus app-makers resolve MitM vulnerability

Attack loophole in Panda app sealed

On the first day of Christmas, Microsoft gave to me... an emergency out-of-band security patch for IE

Update Internet Explorer now after Google detects attacks in the wild