{"id":"https://openalex.org/W2991334710","doi":"https://doi.org/10.1145/3359789.3359828","title":"An empirical study of SMS one-time password authentication in Android apps","display_name":"An empirical study of SMS one-time password authentication in Android apps","publication_year":2019,"publication_date":"2019-11-22","ids":{"openalex":"https://openalex.org/W2991334710","doi":"https://doi.org/10.1145/3359789.3359828","mag":"2991334710"},"language":"en","primary_location":{"id":"doi:10.1145/3359789.3359828","is_oa":false,"landing_page_url":"https://doi.org/10.1145/3359789.3359828","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 35th Annual Computer Security Applications Conference","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":true,"oa_status":"green","oa_url":"https://ink.library.smu.edu.sg/cgi/viewcontent.cgi?article=5631&context=sis_research","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5016972157","display_name":"Siqi Ma","orcid":"https://orcid.org/0000-0003-3479-5713"},"institutions":[{"id":"https://openalex.org/I1292875679","display_name":"Commonwealth Scientific and Industrial Research Organisation","ror":"https://ror.org/03qn8fb07","country_code":"AU","type":"funder","lineage":["https://openalex.org/I1292875679","https://openalex.org/I2801453606","https://openalex.org/I4387156119"]}],"countries":["AU"],"is_corresponding":true,"raw_author_name":"Siqi Ma","raw_affiliation_strings":["CSIRO"],"affiliations":[{"raw_affiliation_string":"CSIRO","institution_ids":["https://openalex.org/I1292875679"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5009089268","display_name":"Runhan Feng","orcid":null},"institutions":[{"id":"https://openalex.org/I183067930","display_name":"Shanghai Jiao Tong University","ror":"https://ror.org/0220qvk04","country_code":"CN","type":"education","lineage":["https://openalex.org/I183067930"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Runhan Feng","raw_affiliation_strings":["Shanghai Jiao Tong University"],"affiliations":[{"raw_affiliation_string":"Shanghai Jiao Tong University","institution_ids":["https://openalex.org/I183067930"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5020082816","display_name":"Juanru Li","orcid":"https://orcid.org/0000-0002-7978-595X"},"institutions":[{"id":"https://openalex.org/I183067930","display_name":"Shanghai Jiao Tong University","ror":"https://ror.org/0220qvk04","country_code":"CN","type":"education","lineage":["https://openalex.org/I183067930"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Juanru Li","raw_affiliation_strings":["Shanghai Jiao Tong University"],"affiliations":[{"raw_affiliation_string":"Shanghai Jiao Tong University","institution_ids":["https://openalex.org/I183067930"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5100355950","display_name":"Yang Liu","orcid":"https://orcid.org/0000-0002-6276-1468"},"institutions":[{"id":"https://openalex.org/I149594827","display_name":"Xidian University","ror":"https://ror.org/05s92vm98","country_code":"CN","type":"education","lineage":["https://openalex.org/I149594827"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Yang Liu","raw_affiliation_strings":["Xidian University"],"affiliations":[{"raw_affiliation_string":"Xidian University","institution_ids":["https://openalex.org/I149594827"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5082256444","display_name":"\u202aSurya Nepal\u202c","orcid":"https://orcid.org/0000-0002-3289-6599"},"institutions":[{"id":"https://openalex.org/I1292875679","display_name":"Commonwealth Scientific and Industrial Research Organisation","ror":"https://ror.org/03qn8fb07","country_code":"AU","type":"funder","lineage":["https://openalex.org/I1292875679","https://openalex.org/I2801453606","https://openalex.org/I4387156119"]}],"countries":["AU"],"is_corresponding":false,"raw_author_name":"Surya Nepal","raw_affiliation_strings":["Ostry, CSIRO"],"affiliations":[{"raw_affiliation_string":"Ostry, CSIRO","institution_ids":["https://openalex.org/I1292875679"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5097418361","display_name":"Diethelm","orcid":null},"institutions":[{"id":"https://openalex.org/I1292875679","display_name":"Commonwealth Scientific and Industrial Research Organisation","ror":"https://ror.org/03qn8fb07","country_code":"AU","type":"funder","lineage":["https://openalex.org/I1292875679","https://openalex.org/I2801453606","https://openalex.org/I4387156119"]}],"countries":["AU"],"is_corresponding":false,"raw_author_name":"Diethelm","raw_affiliation_strings":["Ostry, CSIRO"],"affiliations":[{"raw_affiliation_string":"Ostry, CSIRO","institution_ids":["https://openalex.org/I1292875679"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5061694501","display_name":"Elisa Bertino","orcid":"https://orcid.org/0000-0002-4029-7051"},"institutions":[{"id":"https://openalex.org/I219193219","display_name":"Purdue University West Lafayette","ror":"https://ror.org/02dqehb95","country_code":"US","type":"education","lineage":["https://openalex.org/I219193219"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Elisa Bertino","raw_affiliation_strings":["Purdue University"],"affiliations":[{"raw_affiliation_string":"Purdue University","institution_ids":["https://openalex.org/I219193219"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5001712801","display_name":"Robert H. Deng","orcid":"https://orcid.org/0000-0003-3491-8146"},"institutions":[{"id":"https://openalex.org/I79891267","display_name":"Singapore Management University","ror":"https://ror.org/050qmg959","country_code":"SG","type":"education","lineage":["https://openalex.org/I79891267"]}],"countries":["SG"],"is_corresponding":false,"raw_author_name":"Robert H. Deng","raw_affiliation_strings":["Singapore Management University"],"affiliations":[{"raw_affiliation_string":"Singapore Management University","institution_ids":["https://openalex.org/I79891267"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5015787649","display_name":"Zhuo Ma","orcid":"https://orcid.org/0000-0001-6023-2864"},"institutions":[{"id":"https://openalex.org/I149594827","display_name":"Xidian University","ror":"https://ror.org/05s92vm98","country_code":"CN","type":"education","lineage":["https://openalex.org/I149594827"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Zhuo Ma","raw_affiliation_strings":["Xidian University"],"affiliations":[{"raw_affiliation_string":"Xidian University","institution_ids":["https://openalex.org/I149594827"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5015261020","display_name":"Sanjay Jha","orcid":"https://orcid.org/0000-0002-1844-1520"},"institutions":[{"id":"https://openalex.org/I31746571","display_name":"UNSW Sydney","ror":"https://ror.org/03r8z3t63","country_code":"AU","type":"education","lineage":["https://openalex.org/I31746571"]}],"countries":["AU"],"is_corresponding":false,"raw_author_name":"Sanjay Jha","raw_affiliation_strings":["University of New South Wales"],"affiliations":[{"raw_affiliation_string":"University of New South Wales","institution_ids":["https://openalex.org/I31746571"]}]}],"institutions":[],"countries_distinct_count":4,"institutions_distinct_count":10,"corresponding_author_ids":["https://openalex.org/A5016972157"],"corresponding_institution_ids":["https://openalex.org/I1292875679"],"apc_list":null,"apc_paid":null,"fwci":7.0452,"has_fulltext":false,"cited_by_count":44,"citation_normalized_percentile":{"value":0.97091898,"is_in_top_1_percent":false,"is_in_top_10_percent":true},"cited_by_percentile_year":{"min":96,"max":99},"biblio":{"volume":null,"issue":null,"first_page":"339","last_page":"354"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11800","display_name":"User Authentication and Security Systems","score":0.9998999834060669,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11800","display_name":"User Authentication and Security Systems","score":0.9998999834060669,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9995999932289124,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11045","display_name":"Privacy, Security, and Data Protection","score":0.9933000206947327,"subfield":{"id":"https://openalex.org/subfields/3312","display_name":"Sociology and Political Science"},"field":{"id":"https://openalex.org/fields/33","display_name":"Social Sciences"},"domain":{"id":"https://openalex.org/domains/2","display_name":"Social Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/android","display_name":"Android (operating system)","score":0.8445767164230347},{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.786726713180542},{"id":"https://openalex.org/keywords/password","display_name":"Password","score":0.7727400064468384},{"id":"https://openalex.org/keywords/computer-security","display_name":"Computer security","score":0.6274499893188477},{"id":"https://openalex.org/keywords/implementation","display_name":"Implementation","score":0.5669391751289368},{"id":"https://openalex.org/keywords/email-authentication","display_name":"Email authentication","score":0.506939709186554},{"id":"https://openalex.org/keywords/authentication-protocol","display_name":"Authentication protocol","score":0.47989189624786377},{"id":"https://openalex.org/keywords/authentication","display_name":"Authentication (law)","score":0.4651642143726349},{"id":"https://openalex.org/keywords/short-message-service","display_name":"Short Message Service","score":0.45343273878097534},{"id":"https://openalex.org/keywords/password-policy","display_name":"Password policy","score":0.4239051342010498},{"id":"https://openalex.org/keywords/multi-factor-authentication","display_name":"Multi-factor authentication","score":0.3147488832473755},{"id":"https://openalex.org/keywords/one-time-password","display_name":"One-time password","score":0.27696698904037476},{"id":"https://openalex.org/keywords/operating-system","display_name":"Operating system","score":0.26100611686706543}],"concepts":[{"id":"https://openalex.org/C557433098","wikidata":"https://www.wikidata.org/wiki/Q94","display_name":"Android (operating system)","level":2,"score":0.8445767164230347},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.786726713180542},{"id":"https://openalex.org/C109297577","wikidata":"https://www.wikidata.org/wiki/Q161157","display_name":"Password","level":2,"score":0.7727400064468384},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.6274499893188477},{"id":"https://openalex.org/C26713055","wikidata":"https://www.wikidata.org/wiki/Q245962","display_name":"Implementation","level":2,"score":0.5669391751289368},{"id":"https://openalex.org/C550791530","wikidata":"https://www.wikidata.org/wiki/Q5368811","display_name":"Email authentication","level":5,"score":0.506939709186554},{"id":"https://openalex.org/C21564112","wikidata":"https://www.wikidata.org/wiki/Q4825885","display_name":"Authentication protocol","level":3,"score":0.47989189624786377},{"id":"https://openalex.org/C148417208","wikidata":"https://www.wikidata.org/wiki/Q4825882","display_name":"Authentication (law)","level":2,"score":0.4651642143726349},{"id":"https://openalex.org/C74558129","wikidata":"https://www.wikidata.org/wiki/Q43024","display_name":"Short Message Service","level":2,"score":0.45343273878097534},{"id":"https://openalex.org/C98705547","wikidata":"https://www.wikidata.org/wiki/Q3394687","display_name":"Password policy","level":4,"score":0.4239051342010498},{"id":"https://openalex.org/C194699767","wikidata":"https://www.wikidata.org/wiki/Q7878662","display_name":"Multi-factor authentication","level":4,"score":0.3147488832473755},{"id":"https://openalex.org/C89479133","wikidata":"https://www.wikidata.org/wiki/Q1137840","display_name":"One-time password","level":3,"score":0.27696698904037476},{"id":"https://openalex.org/C111919701","wikidata":"https://www.wikidata.org/wiki/Q9135","display_name":"Operating system","level":1,"score":0.26100611686706543},{"id":"https://openalex.org/C199360897","wikidata":"https://www.wikidata.org/wiki/Q9143","display_name":"Programming language","level":1,"score":0.0}],"mesh":[],"locations_count":3,"locations":[{"id":"doi:10.1145/3359789.3359828","is_oa":false,"landing_page_url":"https://doi.org/10.1145/3359789.3359828","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 35th Annual Computer Security Applications Conference","raw_type":"proceedings-article"},{"id":"pmh:oai:ink.library.smu.edu.sg:sis_research-5631","is_oa":true,"landing_page_url":"https://ink.library.smu.edu.sg/cgi/viewcontent.cgi?article=5631&context=sis_research","pdf_url":null,"source":{"id":"https://openalex.org/S4377196871","display_name":"Institutional Knowledge (InK) - Institutional Knowledge at Singapore Management University (Singapore Management University)","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I79891267","host_organization_name":"Singapore Management University","host_organization_lineage":["https://openalex.org/I79891267"],"host_organization_lineage_names":[],"type":"repository"},"license":"other-oa","license_id":"https://openalex.org/licenses/other-oa","version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":"https://doi.org/10.1145/3359789.3359828","raw_type":"Conference Proceeding Article"},{"id":"pmh:oai:espace.library.uq.edu.au:UQ:d45651a","is_oa":false,"landing_page_url":null,"pdf_url":null,"source":{"id":"https://openalex.org/S4306402388","display_name":"Queensland's institutional digital repository (The University of Queensland)","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I165143802","host_organization_name":"The University of Queensland","host_organization_lineage":["https://openalex.org/I165143802"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":"","raw_type":"Conference Paper"}],"best_oa_location":{"id":"pmh:oai:ink.library.smu.edu.sg:sis_research-5631","is_oa":true,"landing_page_url":"https://ink.library.smu.edu.sg/cgi/viewcontent.cgi?article=5631&context=sis_research","pdf_url":null,"source":{"id":"https://openalex.org/S4377196871","display_name":"Institutional Knowledge (InK) - Institutional Knowledge at Singapore Management University (Singapore Management University)","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I79891267","host_organization_name":"Singapore Management University","host_organization_lineage":["https://openalex.org/I79891267"],"host_organization_lineage_names":[],"type":"repository"},"license":"other-oa","license_id":"https://openalex.org/licenses/other-oa","version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":"https://doi.org/10.1145/3359789.3359828","raw_type":"Conference Proceeding Article"},"sustainable_development_goals":[{"score":0.6399999856948853,"display_name":"Peace, Justice and strong institutions","id":"https://metadata.un.org/sdg/16"}],"awards":[],"funders":[],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":45,"referenced_works":["https://openalex.org/W190551272","https://openalex.org/W417364168","https://openalex.org/W1526676231","https://openalex.org/W1574901103","https://openalex.org/W1607915502","https://openalex.org/W1659144702","https://openalex.org/W1766693108","https://openalex.org/W1802854948","https://openalex.org/W1974001800","https://openalex.org/W1976878954","https://openalex.org/W2006664424","https://openalex.org/W2019380907","https://openalex.org/W2020936921","https://openalex.org/W2030112111","https://openalex.org/W2045812729","https://openalex.org/W2054989590","https://openalex.org/W2055455107","https://openalex.org/W2059378890","https://openalex.org/W2067364868","https://openalex.org/W2090206103","https://openalex.org/W2100033648","https://openalex.org/W2104608169","https://openalex.org/W2112578244","https://openalex.org/W2113446256","https://openalex.org/W2123382811","https://openalex.org/W2134809980","https://openalex.org/W2138392687","https://openalex.org/W2148009765","https://openalex.org/W2161573379","https://openalex.org/W2218971720","https://openalex.org/W2254700249","https://openalex.org/W2400329213","https://openalex.org/W2511008193","https://openalex.org/W2604900212","https://openalex.org/W2614579390","https://openalex.org/W2733075145","https://openalex.org/W2736124458","https://openalex.org/W2756930187","https://openalex.org/W2772333951","https://openalex.org/W2791541601","https://openalex.org/W2792587054","https://openalex.org/W2810355991","https://openalex.org/W2947279053","https://openalex.org/W2950577311","https://openalex.org/W4212851301"],"related_works":["https://openalex.org/W2393298610","https://openalex.org/W2941888532","https://openalex.org/W4253316174","https://openalex.org/W2911390896","https://openalex.org/W2093798919","https://openalex.org/W2183793056","https://openalex.org/W3011316886","https://openalex.org/W3022695109","https://openalex.org/W2390304521","https://openalex.org/W128488073"],"abstract_inverted_index":{"A":[0],"great":[1],"quantity":[2],"of":[3,13,20,74,100,133,172,199,208,216,220,228],"user":[4,14],"passwords":[5],"nowadays":[6],"has":[7],"been":[8],"leaked":[9],"through":[10],"security":[11,19,244],"breaches":[12],"accounts.":[15],"To":[16,68],"enhance":[17],"the":[18,21,42,106,147,153,170,181,214,221],"Password":[22,37,62],"Authentication":[23],"Protocol":[24],"(PAP)":[25],"in":[26,81],"such":[27],"circumstance,":[28],"Android":[29,82,143,193,236],"app":[30,237],"developers":[31,238],"often":[32],"implement":[33,109,117,251],"a":[34,54,71,98,126,211],"complementary":[35],"One-Time":[36,61],"(OTP)":[38],"authentication":[39,79,113,129],"by":[40],"utilizing":[41],"short":[43],"message":[44],"service":[45,56],"(SMS).":[46],"Unfortunately,":[47],"SMS":[48,60,77,111,163,202,252],"is":[49,63,166],"not":[50],"specially":[51],"designed":[52],"as":[53,105,249],"secure":[55,110],"and":[57,150,179,195,246],"thus":[58],"an":[59,90,118],"vulnerable":[64],"to":[65,108,123,145,168,175,250],"many":[66],"attacks.":[67],"check":[69,124],"whether":[70,125],"wide":[72],"variety":[73],"currently":[75],"used":[76],"OTP":[78,112,128,154,203,253],"protocols":[80],"apps":[83,144,194,223],"are":[84],"properly":[85],"implemented,":[86],"this":[87],"paper":[88],"presents":[89],"empirical":[91,187],"study":[92],"against":[93],"them.":[94],"We":[95],"first":[96],"derive":[97],"set":[99],"rules":[101,178,245],"from":[102],"RFC":[103],"documents":[104],"guide":[107],"protocol.":[114],"Then":[115],"we":[116],"automated":[119],"analysis":[120,207],"system,":[121],"AUTH-EYE,":[122],"real-world":[127],"scheme":[130],"violates":[131],"any":[132],"these":[134],"rules.":[135,231],"Without":[136],"accessing":[137],"server":[138],"source":[139],"code,":[140],"AUTH-EYE":[141,165,189,209],"executes":[142],"trigger":[146],"OTP-relevant":[148],"functionalities":[149],"then":[151],"analyzes":[152],"implementations":[155,174,215],"including":[156],"those":[157,173],"proprietary":[158],"ones.":[159],"By":[160],"only":[161],"analyzing":[162],"responses,":[164],"able":[167],"assess":[169],"conformance":[171],"our":[176,186,229,242],"recommended":[177],"identify":[180],"potentially":[182],"insecure":[183],"apps.":[184],"In":[185],"study,":[188],"analyzed":[190],"3,303":[191],"popular":[192],"found":[196],"that":[197,235],"544":[198,222],"them":[200],"adopt":[201],"authentication.":[204],"The":[205,232],"further":[206],"demonstrated":[210],"far-from-optimistic":[212],"status:":[213],"536":[217],"(98.5%)":[218],"out":[219],"violate":[224],"at":[225],"least":[226],"one":[227],"defined":[230],"results":[233],"indicate":[234],"should":[239],"seriously":[240],"consider":[241],"discussed":[243],"violations":[247],"so":[248],"properly.":[254]},"counts_by_year":[{"year":2026,"cited_by_count":1},{"year":2025,"cited_by_count":8},{"year":2024,"cited_by_count":10},{"year":2023,"cited_by_count":5},{"year":2022,"cited_by_count":8},{"year":2021,"cited_by_count":9},{"year":2020,"cited_by_count":3}],"updated_date":"2026-04-05T17:49:38.594831","created_date":"2025-10-10T00:00:00"}