many Android mobile applications (e.g., Whatsapp, Telegram), when used for the first time on a device, "authenticate" users by sending them a secret code in a SMS message.
The same mechanism is used to allow users to re-login in their accounts if they change device or reinstall the app (as far as they are still using a SIM card with the original phone number).
I assume this mechanism is used to allow a "user-friendly" password-less authentication.
I was wondering up to which extent this mechanism can be considered "secure".
In particular, a malicious app installed on the victim's device can easily:
- communicate with the app's backend asking to login into a previously created account
- receive the authentication sms and read its content
- use the received code to (silently) login into the victim's account
Is there any way to defend from this kind of attacks?
Aucun commentaire:
Enregistrer un commentaire