Anywhere computing makes 2FA insecure on iOS and Android
Fri 8 Apr 2016
Academics from the VU University Amsterdam have identified a new class of vulnerabilities to two-factor authentication, commonly used to protect transactions involving financial and private information. This leaves users of both Android and Apple mobile devices open to the theft of personal information by hackers.
In their paper, ‘How Anywhere Computing Just Killed Your Phone-Based Two-Factor Authentication’, researchers from the Netherlands describe the vulnerabilities inherent in syncing apps between devices. Anywhere computing, the process of integrating apps across multiple platforms, is generally considered to be a good thing. Maintaining information from one device to another eliminates the need for a user to constantly re-enter information, promoting convenience and saving time. However, in a paper published at February’s Financial Crypto conference, researchers claim that integration across multiple platforms essentially removes the gap between those platforms, and it is that gap that is required to make two-factor authentication secure. Without a gap between devices, a common hack called the Man-in-the-Browser attack can be elevated to intercept the one-time password generated for two-factor authentication, thereby rendering two-factor authentication useless.
The researchers created reliable attacks against both Android and iOS, specifically through Google Play’s remote app installation feature, and Apple OSX Continuity feature. For the Android, they used the remote install feature of Google Play put an app onto the user’s mobile device which was then used to intercept SMS messages, bypassing two-factor authentication. Similarly, on the iOS platform, the team found that publishing a rogue app in Apple’s App Store allowed them to install it in an infected PC using the iTunes remote-install feature.
The paper pinpoints the new class of vulnerabilities under the heading 2FA synchronization vulnerabilities. This is meant to separate the specific vulnerabilities associated with syncing devices from other software and hardware insecurities. While cross-platform integration does increase usability of apps, making it increasingly popular with users, synchronization itself leaves the user open to hacking that renders two-factor authentication useless, and their personal and financial information open to attack. As security measures are improved, and are created to include the increasing uses of mobile devices and synchronization, they must take into account the inherent vulnerabilities that synchronization have caused.