{"id":"https://openalex.org/W4408358415","doi":"https://doi.org/10.1109/tmc.2025.3550883","title":"Identifying Implementation Flaws of SMS OTP Authentication","display_name":"Identifying Implementation Flaws of SMS OTP Authentication","publication_year":2025,"publication_date":"2025-03-12","ids":{"openalex":"https://openalex.org/W4408358415","doi":"https://doi.org/10.1109/tmc.2025.3550883"},"language":"en","primary_location":{"id":"doi:10.1109/tmc.2025.3550883","is_oa":false,"landing_page_url":"https://doi.org/10.1109/tmc.2025.3550883","pdf_url":null,"source":{"id":"https://openalex.org/S69141925","display_name":"IEEE Transactions on Mobile Computing","issn_l":"1536-1233","issn":["1536-1233","1558-0660","2161-9875"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310320439","host_organization_name":"IEEE Computer Society","host_organization_lineage":["https://openalex.org/P4310320439","https://openalex.org/P4310319808"],"host_organization_lineage_names":["IEEE Computer Society","Institute of Electrical and Electronics Engineers"],"type":"journal"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"IEEE Transactions on Mobile Computing","raw_type":"journal-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":false,"oa_status":"closed","oa_url":null,"any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":null,"display_name":"Jiayu Zhao","orcid":"https://orcid.org/0009-0004-3968-9906"},"institutions":[{"id":"https://openalex.org/I4210108629","display_name":"Computer Network Information Center","ror":"https://ror.org/01s0wyf50","country_code":"CN","type":"facility","lineage":["https://openalex.org/I19820366","https://openalex.org/I4210108629"]},{"id":"https://openalex.org/I4210165038","display_name":"University of Chinese Academy of Sciences","ror":"https://ror.org/05qbk4x57","country_code":"CN","type":"education","lineage":["https://openalex.org/I19820366","https://openalex.org/I4210165038"]}],"countries":["CN"],"is_corresponding":true,"raw_author_name":"Jiayu Zhao","raw_affiliation_strings":["National Computer Network Intrusion Protection Center, University of Chinese Academy of Sciences, Beijing, China"],"affiliations":[{"raw_affiliation_string":"National Computer Network Intrusion Protection Center, University of Chinese Academy of Sciences, Beijing, China","institution_ids":["https://openalex.org/I4210108629","https://openalex.org/I4210165038"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5027256309","display_name":"Fannv He","orcid":null},"institutions":[{"id":"https://openalex.org/I4210108629","display_name":"Computer Network Information Center","ror":"https://ror.org/01s0wyf50","country_code":"CN","type":"facility","lineage":["https://openalex.org/I19820366","https://openalex.org/I4210108629"]},{"id":"https://openalex.org/I4210165038","display_name":"University of Chinese Academy of Sciences","ror":"https://ror.org/05qbk4x57","country_code":"CN","type":"education","lineage":["https://openalex.org/I19820366","https://openalex.org/I4210165038"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Fannv He","raw_affiliation_strings":["National Computer Network Intrusion Protection Center, University of Chinese Academy of Sciences, Beijing, China"],"affiliations":[{"raw_affiliation_string":"National Computer Network Intrusion Protection Center, University of Chinese Academy of Sciences, Beijing, China","institution_ids":["https://openalex.org/I4210108629","https://openalex.org/I4210165038"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5048531636","display_name":"Yiyu Yang","orcid":null},"institutions":[{"id":"https://openalex.org/I4210108629","display_name":"Computer Network Information Center","ror":"https://ror.org/01s0wyf50","country_code":"CN","type":"facility","lineage":["https://openalex.org/I19820366","https://openalex.org/I4210108629"]},{"id":"https://openalex.org/I4210165038","display_name":"University of Chinese Academy of Sciences","ror":"https://ror.org/05qbk4x57","country_code":"CN","type":"education","lineage":["https://openalex.org/I19820366","https://openalex.org/I4210165038"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Yiyu Yang","raw_affiliation_strings":["National Computer Network Intrusion Protection Center, University of Chinese Academy of Sciences, Beijing, China"],"affiliations":[{"raw_affiliation_string":"National Computer Network Intrusion Protection Center, University of Chinese Academy of Sciences, Beijing, China","institution_ids":["https://openalex.org/I4210108629","https://openalex.org/I4210165038"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5100401884","display_name":"Yuqing Zhang","orcid":"https://orcid.org/0000-0001-8306-7195"},"institutions":[{"id":"https://openalex.org/I4210108629","display_name":"Computer Network Information Center","ror":"https://ror.org/01s0wyf50","country_code":"CN","type":"facility","lineage":["https://openalex.org/I19820366","https://openalex.org/I4210108629"]},{"id":"https://openalex.org/I4210165038","display_name":"University of Chinese Academy of Sciences","ror":"https://ror.org/05qbk4x57","country_code":"CN","type":"education","lineage":["https://openalex.org/I19820366","https://openalex.org/I4210165038"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Yuqing Zhang","raw_affiliation_strings":["National Computer Network Intrusion Protection Center, University of Chinese Academy of Sciences, Beijing, China"],"affiliations":[{"raw_affiliation_string":"National Computer Network Intrusion Protection Center, University of Chinese Academy of Sciences, Beijing, China","institution_ids":["https://openalex.org/I4210108629","https://openalex.org/I4210165038"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":4,"corresponding_author_ids":[],"corresponding_institution_ids":["https://openalex.org/I4210108629","https://openalex.org/I4210165038"],"apc_list":null,"apc_paid":null,"fwci":2.092,"has_fulltext":false,"cited_by_count":3,"citation_normalized_percentile":{"value":0.86254634,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":{"min":96,"max":97},"biblio":{"volume":"24","issue":"9","first_page":"7899","last_page":"7913"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T10651","display_name":"IPv6, Mobility, Handover, Networks, Security","score":0.9753999710083008,"subfield":{"id":"https://openalex.org/subfields/2208","display_name":"Electrical and Electronic Engineering"},"field":{"id":"https://openalex.org/fields/22","display_name":"Engineering"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T10651","display_name":"IPv6, Mobility, Handover, Networks, Security","score":0.9753999710083008,"subfield":{"id":"https://openalex.org/subfields/2208","display_name":"Electrical and Electronic Engineering"},"field":{"id":"https://openalex.org/fields/22","display_name":"Engineering"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11644","display_name":"Spam and Phishing Detection","score":0.9354000091552734,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11045","display_name":"Privacy, Security, and Data Protection","score":0.9064000248908997,"subfield":{"id":"https://openalex.org/subfields/3312","display_name":"Sociology and Political Science"},"field":{"id":"https://openalex.org/fields/33","display_name":"Social Sciences"},"domain":{"id":"https://openalex.org/domains/2","display_name":"Social Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.7674285173416138},{"id":"https://openalex.org/keywords/authentication","display_name":"Authentication (law)","score":0.6194202303886414},{"id":"https://openalex.org/keywords/computer-security","display_name":"Computer security","score":0.5433656573295593},{"id":"https://openalex.org/keywords/mobile-device","display_name":"Mobile device","score":0.42426174879074097},{"id":"https://openalex.org/keywords/message-authentication-code","display_name":"Message authentication code","score":0.41632241010665894},{"id":"https://openalex.org/keywords/computer-network","display_name":"Computer network","score":0.37865251302719116},{"id":"https://openalex.org/keywords/cryptography","display_name":"Cryptography","score":0.3364996910095215},{"id":"https://openalex.org/keywords/world-wide-web","display_name":"World Wide Web","score":0.2744104266166687}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.7674285173416138},{"id":"https://openalex.org/C148417208","wikidata":"https://www.wikidata.org/wiki/Q4825882","display_name":"Authentication (law)","level":2,"score":0.6194202303886414},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.5433656573295593},{"id":"https://openalex.org/C186967261","wikidata":"https://www.wikidata.org/wiki/Q5082128","display_name":"Mobile device","level":2,"score":0.42426174879074097},{"id":"https://openalex.org/C141492731","wikidata":"https://www.wikidata.org/wiki/Q1052621","display_name":"Message authentication code","level":3,"score":0.41632241010665894},{"id":"https://openalex.org/C31258907","wikidata":"https://www.wikidata.org/wiki/Q1301371","display_name":"Computer network","level":1,"score":0.37865251302719116},{"id":"https://openalex.org/C178489894","wikidata":"https://www.wikidata.org/wiki/Q8789","display_name":"Cryptography","level":2,"score":0.3364996910095215},{"id":"https://openalex.org/C136764020","wikidata":"https://www.wikidata.org/wiki/Q466","display_name":"World Wide Web","level":1,"score":0.2744104266166687}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1109/tmc.2025.3550883","is_oa":false,"landing_page_url":"https://doi.org/10.1109/tmc.2025.3550883","pdf_url":null,"source":{"id":"https://openalex.org/S69141925","display_name":"IEEE Transactions on Mobile Computing","issn_l":"1536-1233","issn":["1536-1233","1558-0660","2161-9875"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310320439","host_organization_name":"IEEE Computer Society","host_organization_lineage":["https://openalex.org/P4310320439","https://openalex.org/P4310319808"],"host_organization_lineage_names":["IEEE Computer Society","Institute of Electrical and Electronics Engineers"],"type":"journal"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"IEEE Transactions on Mobile Computing","raw_type":"journal-article"}],"best_oa_location":null,"sustainable_development_goals":[],"awards":[{"id":"https://openalex.org/G2011081604","display_name":null,"funder_award_id":"U1836210","funder_id":"https://openalex.org/F4320321001","funder_display_name":"National Natural Science Foundation of China"},{"id":"https://openalex.org/G6174095249","display_name":null,"funder_award_id":"2023QY1202","funder_id":"https://openalex.org/F4320335777","funder_display_name":"National Key Research and Development Program of China"},{"id":"https://openalex.org/G8108987154","display_name":null,"funder_award_id":"2023YFB3106400","funder_id":"https://openalex.org/F4320335777","funder_display_name":"National Key Research and Development Program of China"}],"funders":[{"id":"https://openalex.org/F4320321001","display_name":"National Natural Science Foundation of China","ror":"https://ror.org/01h0zpd94"},{"id":"https://openalex.org/F4320335777","display_name":"National Key Research and Development Program of China","ror":null}],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":19,"referenced_works":["https://openalex.org/W1582716752","https://openalex.org/W2054535568","https://openalex.org/W2054989590","https://openalex.org/W2218971720","https://openalex.org/W2559870021","https://openalex.org/W2659233977","https://openalex.org/W2772333951","https://openalex.org/W2791018263","https://openalex.org/W2989724224","https://openalex.org/W2991334710","https://openalex.org/W3155102819","https://openalex.org/W3160885800","https://openalex.org/W3170696348","https://openalex.org/W3201725844","https://openalex.org/W4287849796","https://openalex.org/W4309375085","https://openalex.org/W4385819871","https://openalex.org/W6791397964","https://openalex.org/W6862012583"],"related_works":["https://openalex.org/W2166668397","https://openalex.org/W2116285675","https://openalex.org/W1533309011","https://openalex.org/W3048245612","https://openalex.org/W1980599209","https://openalex.org/W1555715488","https://openalex.org/W1991172351","https://openalex.org/W1510656496","https://openalex.org/W2061637199","https://openalex.org/W2997078490"],"abstract_inverted_index":{"Currently,":[0],"the":[1,28,51,69,72,77,112,122,130,172],"Short":[2],"Message":[3],"Service":[4],"(SMS)":[5],"One-Time":[6],"Passwords":[7],"(OTP)":[8],"authentication":[9,31,54,75,178],"is":[10,88],"widely":[11],"adopted":[12],"in":[13,27,76,135,175,183],"mobile":[14],"applications.":[15],"However,":[16],"due":[17],"to":[18,67,83,90,117,164],"improper":[19],"implementation":[20,100],"by":[21,133,189],"developers,":[22],"significant":[23],"security":[24,70,158,173],"flaws":[25,101,159],"exist":[26],"SMS":[29,52,73,176],"OTP":[30,53,74,177],"mechanisms":[32],"of":[33,71,121,179],"some":[34],"apps.":[35],"To":[36],"provide":[37],"a":[38,45,140],"comprehensive":[39],"and":[40,124,147,186],"accurate":[41],"assessment,":[42],"we":[43,49,63,106],"propose":[44],"new":[46],"approach.":[47],"First,":[48],"locate":[50],"page":[55],"through":[56],"UI":[57],"exploration.":[58],"Then,":[59],"using":[60],"hooking":[61],"technology,":[62],"conduct":[64],"simulated":[65],"attacks":[66],"verify":[68],"app,":[78],"focusing":[79],"on":[80,111,150],"its":[81],"susceptibility":[82],"brute-force":[84],"attacks.":[85],"This":[86],"approach":[87],"applicable":[89],"apps":[91,156],"with":[92,157],"app-side":[93],"or":[94],"UI-layer":[95],"protection":[96],"measures,":[97],"uncovering":[98],"hidden":[99],"beneath":[102],"these":[103],"protections.":[104],"Technically,":[105],"employ":[107],"dynamic":[108],"analysis":[109],"based":[110],"ART":[113],"virtual":[114],"machine":[115],"instrumentation":[116],"obtain":[118],"runtime":[119],"information":[120],"app":[123],"generate":[125],"vulnerability":[126,184],"verification":[127],"scripts,":[128],"overcoming":[129],"challenges":[131],"posed":[132],"code-packing":[134],"program":[136],"analysis.":[137],"We":[138],"implemented":[139],"semi-automatic":[141],"tool":[142],"named":[143],"<italic":[144],"xmlns:mml=\"http://www.w3.org/1998/Math/MathML\"":[145],"xmlns:xlink=\"http://www.w3.org/1999/xlink\">AuthChecker</i>":[146],"tested":[148],"it":[149],"950":[151],"popular":[152],"apps,":[153,180],"identifying":[154],"87":[155],"that":[160],"potentially":[161],"allow":[162],"attackers":[163],"achieve":[165],"unauthorized":[166],"account":[167],"access.":[168],"Our":[169],"findings":[170],"highlight":[171],"issues":[174],"promoting":[181],"improvements":[182],"patching":[185],"preventive":[187],"strategies":[188],"developers.":[190]},"counts_by_year":[{"year":2025,"cited_by_count":3}],"updated_date":"2026-04-09T08:11:56.329763","created_date":"2025-10-10T00:00:00"}