Computer security researchers warn security shortcomings in Android/Playstore undermine the security offered by all SMS-based two-factor authentication (2FA).
The issue - first reported to Google more than a year ago - revolves around an alleged security weakness rather than a straightforward software vulnerability. The BAndroid vulnerability was presented at the Android Security Symposium in Vienna last September by Victor van der Veen of Vrije Universiteit, Amsterdam. In the BAndroid microsite (featuring a video and FAQ), the Dutch researchers explain the cause and scope of the alleged vulnerability.
If attackers have control over the browser on the PC of a user using Google services (like Gmail, Google+, etc.), they can push any app with any permission on any of the user's Android devices, and activate it - allowing one to bypass 2-factor authentication via the phone. Moreover, the installation can be stealthy (without any icon appearing on the screen). For short, we refer to the vulnerability as the BAndroid (Browser-to-Android) vulnerability and to attacks that abuse it as BAndroid attacks.
A paper about the issue was published at the Financial Crypto conference back in February. A research paper looking at the wider issues of phone-based 2FA, How Anywhere Computing Just Killed Your Phone-Based Two-Factor Authentication on can be found here (PDF). In the paper, the researchers argue that Apple's Continuity feature that brings iOS and Mac OS X devices closer together is equally dangerous.
In the paper, the Dutch researchers, Radhesh Krishnan Konoth and Victor van der Veen, argue that the “process of integrating apps among multiple platforms essentially removes the gap between them”, which is important for security.
The ongoing integration and desire for increased usability results in violation of key principles for mobile phone 2FA. As a result, we identify a new class of vulnerabilities dubbed 2FA synchronization vulnerabilities. To support our findings, we present practical attacks against Android and iOS that illustrate how a Man-in-the-Browser attack can be elevated to intercept One-Time Passwords sent to the mobile phone and thus bypass the chain of 2FA mechanisms as used by many financial services.
Herbert Bos, professor of systems and security at Vrije Universiteit Amsterdam, who co-authored the mobile security paper with the two PhD students, stated that the researchers responsibly disclosed the security vulnerability to Google more than a year ago but claims that the tech giant “still refuses to fix it”.
“Some people seem to think that if your web browser is compromised, it is game over anyway,” Bos told El Reg. “But really, this is why we have 2FA to begin with.”
“Security problem in Android/Play store kills the security offered by all SMS-based two factor authentication (as used by many banks, governments, and, interestingly, Google itself). Google does not want to fix it (it is part of the design), but really, it should,” he added.
Google has yet to respond to repeated requests for comment on the issue from El Reg’s security desk. We’ll update this story as and when we hear more. ®