back to article Academics claim Google Android two-factor authentication is breakable

Computer security researchers warn security shortcomings in Android/Playstore undermine the security offered by all SMS-based two-factor authentication (2FA). The issue - first reported to Google more than a year ago - revolves around an alleged security weakness rather than a straightforward software vulnerability. The …

  1. frank ly

    Details?

    "... a Man-in-the-Browser attack can be elevated to intercept One-Time Passwords sent to the mobile phone ..."

    I'd have thought that the One-Time Password sent to the mobile phone could not be intercepted by a man in the browser, but that the password could be monitored when it is typed into the browser to gain 'authorisation' from the website that you're trying to connect to for full services.

    As such, if you, the user, then gain authorisation to access services from that browser session, surely nobody else could use the one-time pasword for another browser session on a different computer from a different IP address? Isn't that the point of a one-time password?

    As was mentioned, if you do have a 'bad guy' sitting in your browser with capability to monitor and inject data, then it's game over no matter what security you have in place for browser session authentication.

  2. Anonymous Coward
    Holmes

    No shit

    Insecure system is insecure, even when you add half-assed 2FA. (1/2FA?)

    1. Planty Bronze badge
      FAIL

      Re: No shit

      Nothing in here actually shows 2FA failing. The only fail here is this security report (and the rush to post it without fact checking)

      Go turn on 2FA on your Google account, then go to a new pc (or open that forgotten about Internet Explorer icon), visit the play store and log in with your Google account.. Guess what it asks you to do... Yep, 2FA...

      So whgat this report from these "experts" is saying, if someone has access to someone's password and phone, you can log on via a browser and complete 2FA and push apps to the phone... What they fail to consider is If you have someone's password and phone, you can visit the play store and install apps already!!!!

  3. Warm Braw

    Some people seem to think that if your web browser is compromised, it is game over

    That's because it is!

    2FA simply adds reassurance that an authorised party has validated a transaction. If your browser is compromised you cannot know whether the details of the transaction you see on screen are in fact the details of the transaction that will be executed, so all 2FA does at that point is to give artistic verisimilitude to an otherwise bald and unconvincing narrative.

    1. sans
      Devil

      Re: Some people seem to think that if your web browser is compromised, it is game over

      > That's because it is!

      Not entirely true.

      Say your bank uses sms-based 2FA. Without owning the phone, the only thing attackers can do is *modify* the transaction (assuming the user does not notice the modified transaction details on his phone). They cannot initiate arbitrary transactions at arbitrary times. With the BAndroid vulnerability, Google just removed that obstacle. Attackers can initiate any transaction at any time.

  4. Anonymous Coward
    Anonymous Coward

    So, watching the video, the steps are...

    1. Break into my house

    2. Hack into my laptop (unless they also know how to bypass 2FA before this app is installed)

    3. Hack into my gmail account

    4. Do your stuff and send the malicious app to my phone

    5. Hope that I see a totally unexpected auto install appear and open the app

    6. Intercept the 2FA between me and my bank (good luck as it uses my debit card and a card reader)

    7. Retire to a Caribbean island on all the money (a weekend in Blackpool would be the limit with my bank balance)

    Would just be easier to break in, steal my TV/laptop/games console.. you'd have more cash!

    Whilst this is technically feasible, the first 3 steps make it very difficult.

    1. Anonymous Coward
      Anonymous Coward

      Based on more than one of my users . . .

      1) Can't be bothered . . . .

      2) Find laptop left on chair, in coffee shop, etc. (maybe steal from front seat of car if highly motivated)

      3) Read password taped to keyboard

      4) Enjoy!!

      Anonymous for obvious reasons.

      Tell me again, why can't IT publicly flog aberrant users?

    2. Dan 55 Silver badge

      1. 99.99999%* of gmail users browse the web while logged in. Hopefully you'll not fall foul of a XSS attack or malware.

      2. Android apps can autorun.

      * FACT.

    3. Anonymous Coward
      Anonymous Coward

      No, they don't need to do all that

      All they have to do is p0wn your Android browser, which merely requires a remote exploit against that browser which can be triggered when you visit a site carrying that exploit. Typically such exploits would be delivered via an ad network, so you wouldn't need to be tricked into visiting a shady site, just have bad timing to visit a normal site at the wrong time before the bad ad network payload is discovered.

      Such exploits are found from time to time, so that would be the time for the bad guys to strike - having hacked one or more ad networks and waiting silently for the right exploit to come along. Even if you personally aren't affected since you aren't using SMS for 2FA, a lot of people will be potential victims.

  5. John 104

    Hm

    Seems pretty fringe to me. No wonder its 'won't fix'

  6. David Nash Silver badge

    iOS too

    Article and quotes from paper say Android and Apple are equally vulnerable.

    Yet the headline makes it sound like this is a Google-specific problem.

    1. Anonymous Coward
      Anonymous Coward

      Re: iOS too

      The iOS attack is limited to cases where you have an iPhone and a Mac, and are using continuity to replicate your SMS messages from your phone to your Mac. The Android attack does not require anything more than use of an Android phone.

      But I'm surprised el Reg wrote this article as an Android only problem since usually the reverse is the case and things that impact both are written about as primarily as iOS issue. Maybe they've reached their weekly quota of Apple clickbait articles already, being that this is a Friday, but were still short one on Android.

  7. Andrew Jones 2

    So confusing - first - SMS 2FA is usually a backup method - the primary method is using an app to generate the OTP codes. Second - the only way to push and install an app from a browser to an Android phone (with no user intervention) is via the Play Store which does show a notification on the device that 1) it is downloading and 2) it has been installed. Is it man-in-the-middle or is it SMS interception? Next -

    "6. What can Google do to fix this?

    That is easy: move the app installation process (where the user is prompted to accept the app's permissions) to the mobile device instead of handling it in the browser." (from the linked website) - well there we go then, that's exactly what they did in Marshmallow. Sure it might not be on a huge amount of devices, but there is no feasible way Google could have moved the permissions dialog to the mobile device - though it is worth noting that

    "In our version of this attack, we assumed the "allow installation from untrusted sources" option to be enabled: we did not publish the repackaged PayPal app in the Play Store due to legal issues. We also expect that repackaged apps are more likely to be picked up by Bouncer." - well you do get asked to accept permissions when you sideload apps - and it is not possible (nor has it been all the way back to at least Android 2.2) for any app to press the install button in an automated way (which causes problems for users that use apps that use screen overlays - like Twilight)

    The important question though - is this actually available in the wild, has anyone ever been infected by this type of malware?

    1. sans

      > So confusing - first - SMS 2FA is usually a backup method -

      Eh, you'd be surprised. Many banks use simple sms-based 2FA for their transactions. Some governments (e.g., in the Netherlands) even use it for the 2FA protection of all interaction with their citizens. For instance, when you file your taxes. Some companies (including Google) do use it as a backup, but do you thank that matters to attackers?

      > the only way to push and install an app from a browser to an Android phone (with no user intervention) is via the Play Store which does show a notification on the device that 1) it is downloading and 2) it has been installed.

      The notification is there, but do you watch this in the middle of the night? Do you think most users even check the notifications much? Moreover, they show that it is very difficult to even find the app. It has 3 different names and none of the names you find corresponds to the one in the notifcations. Click on the notification and you are toast. I think this would be a pretty tough nut to crack for most users.

      > "In our version of this attack, we assumed the "allow installation from untrusted sources" option to be enabled

      They also say that they loaded malicious (or rather vulnerable apps) in PlaysStore. So that would be pretty stealthy.

  8. Anonymous Coward
    Anonymous Coward

    Since I don't have a phone, I use the Google Authenticator HOTP app on my tablet.

    But if the WiFi is always off on my tablet, doesn't this become a moot exploit?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like