New research shows most apps used for mobile authentication have serious vulnerabilities, even if hardware security is used.
Digitization is driving demand for strong digital identities. A recent McKinsey survey1 reports that the Covid-19 crisis had greatly accelerated the pace of digitization worldwide. Most respondents have disclosed that at least 80 percent of their user or client interactions were now digital in nature, compared to just 58% just before the pandemic. Unfortunately, this has also resulted in a growing number of cyberattacks across all types of organizations, mostly in the form of ransomware attacks and the hijacking of online and financial accounts.
This in turn has pushed the growth of the multi-factor authentication market which has been valued by ResearchAndMarkets.com at USD 10.64 billion in 2020 (and is expected to reach USD 28.34 billion by 20262). For banking, financial services or e-government apps, this means adopting some kind of 2FA (two-factor authentication). Typically this would mean an SMS-based OTP (one time password) or a code generated by hardware token or a mobile authenticator app.
Unfortunately, SMS OTPs have been proven to be insecure, being vulnerable to interception and phishing attacks. Hardware tokens are expensive to deploy, not user-friendly and require regular replacement. Mobile authenticators are seen as the safest and most convenient option, with many keeping the cryptographic keys used to generate OTP codes protected by specialized hardware built into phones (called the Trusted Execution Environment or TEE).
However, “Safest” doesn’t necessarily mean “perfect” and new research into a previously overlooked design flaw reinforces this all too well.
Most distressingly, if the authenticator itself cannot be trusted, then it opens the digital service to manipulation by malware or reverse-engineered by bad actors, potentially leading to account takeovers, data leakage, fraud or worse.
Singapore-based V-Key, a software-based digital security company that developed the world’s first Virtual Secure Element, recently released a white paper demonstrating how most mobile authentication apps can, in fact, be breached by malware. This is regardless of any hard-ware based protection provided by a phone.
Most authentication apps use cryptographic keys to generate the codes used for user identification. These apps can be likened to a treasure chest which only these keys can open. If these keys are stolen, a hacker’s “loot” is the ability to authenticate transactions or sign documents on a user’s behalf. This is why most authentication apps try to make use of the safest storage available for these keys.
For many developers this means a mobile phone’s Trusted Execution Environment. In Android phones this is known as the StrongBox Keystore. In Apple, this is the iOS Secure Enclave (which has a companion software called Keychain that stores encrypted data such as passwords).
“Unfortunately, there’s a general flaw in their architectural design which hackers can exploit,” says V-Key CTO Er Chiang Kai. “We’ve discovered that malware can be used to get to a target’s authenticator keys, enabling the hacker to make unauthorized transactions or sign bogus documents. This is especially true for jailbroken phones, rooted devices, or models susceptible to what’s known as a ‘privilege escalation vulnerability’. We call this design flaw the ‘Trust Gap’.”
How does this work exactly? Imagine someone using a mobile authentication app to generate OTPs for 2FA or sign digital documents. One day they see an interesting mobile game or crypto currency advisory app. They decide to download, install and try it out.
What the user doesn’t know is that this gaming or crypto advisory app is actually malware that exploits a privilege escalation vulnerability targeting their mobile authentication app. “Privilege escalation” is the act of exploiting a bug, a design flaw, or a configuration oversight in an operating system, or software application to gain access to resources (such as keys) that are normally protected from other apps or users. The result is that the malware gets more privileges than intended — and therefore gets access to confidential data, as well as the ability to perform unauthorized actions.
Normally people don’t give a second thought to the possibility of someone hacking their authenticator, as they’re confident that they can trust the ability of the Android Keystore or iOS Secure Enclave to protect cryptographic keys. However, as they play their new game or calculate the profit on their latest crypto bet, a bad actor could already be stealing their keys, or more accurately, their authenticator’s key which is known as an “OTP seed”.
An OTP seed is the secret sauce of many OTP tokens. This cryptographic asset (along with a counter or the time) is fed into the authenticator’s OTP algorithm in order to produce an OTP code. Using this OTP seed, the hacker can now generate OTPs that are identical to those generated by the target’s authenticator. In other words, the hacker now practically owns a user’s digital identity.
This is an insidious and sophisticated attack as the targeted authentication app doesn’t even need to be running or be tampered with to be compromised. When asked about this vulnerability both Google and Apple responded that they were ultimately not responsible for what users do on or to their phones. Apple, in particular, noted that this issue primarily affects jailbroken iPhones, which as far as they were concerned, went beyond the scope of permitted use. This position is essentially similar to the one that gun manufacturers have taken when dealing with gun-related deaths .
The scenario above focuses on OTP seeds. Some authenticators rely on other types of cryptographic assets such as Public Key Infrastructure keys (PKI). Unfortunately, these can also be cloned or stolen in similar ways. V-Key’s White Paper provides further details on how hackers can do this.
In the rush to grow and acquire as many customers as possible, developers of corporate and e-government apps have effectively overlooked this major security flaw due to misplaced trust. But if SMS OTPs and even mobile authentication apps can be compromised, and the device and OS layers can be of little help, where does this leave the average user? What’s the best way to bridge this gap in trust?
According to V-Key’s Er, ultimately the best solution is to provide a means to identify each end point in the system — whether they be apps, servers, or even individual IoT devices. A secure element bound to every app, such as V-Key’s App Identity solution, can serve as proof of an app’s identity and integrity without the need for any external authenticators, and without compromising the user experience.
As the digital world expands at an ever more rapid pace, this ability to enable identity and trust becomes critical. After all, it takes just one compromised mobile authentication app to infiltrate a corporate or government digital service and possibly bring down an entire system. The losses from which are not limited to just financial penalties and civil liabilities but also to brand and reputational damage, which is sometimes impossible to recover from.