{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,20]],"date-time":"2026-04-20T10:44:09Z","timestamp":1776681849156,"version":"3.51.2"},"reference-count":29,"publisher":"Springer Science and Business Media LLC","issue":"7","license":[{"start":{"date-parts":[[2023,7,22]],"date-time":"2023-07-22T00:00:00Z","timestamp":1689984000000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2023,7,22]],"date-time":"2023-07-22T00:00:00Z","timestamp":1689984000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"funder":[{"DOI":"10.13039\/501100007515","name":"Universidad de Valladolid","doi-asserted-by":"crossref","id":[{"id":"10.13039\/501100007515","id-type":"DOI","asserted-by":"crossref"}]}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Wireless Netw"],"published-print":{"date-parts":[[2024,10]]},"abstract":"<jats:title>Abstract<\/jats:title><jats:p>Two Factor Authentication (2FA) using One Time Password (OTP) codes via SMS messages is widely used. In order to improve user experience, Google has proposed APIs that allow the automatic verification of the SMS messages without the intervention of the users themselves. They reduce the risks of user error, but they also have vulnerabilities. One of these APIs is the SMS Retriever API for Android devices. This article presents a method to study the vulnerabilities of these OTP exchange APIs in a given sector. The most popular API in the sector is selected, and different scenarios of interaction between mobile apps and SMS OTP servers are posed to determine which implementations are vulnerable. The proposed methodology, applied here to the banking sector, is nevertheless simple enough to be applied to any other sector, or to other SMS OTP APIs. One of its advantages is that it proposes a method for detecting bad implementations on the server side, based on analyses of the apps, which boosts reusability and replicability, while offering a guide to developers to prevent errors that cause vulnerabilities. Our study focuses on Spain\u2019s banking sector, in which the SMS Retriever API is the most popular. The results suggest that there are vulnerable implementations which would allow cybercriminals to steal the users SMS OTP codes. This suggests that a revision of the equilibrium between ease of use and security would apply in order to maintain the high level of security which has traditionally characterized this sector.<\/jats:p>","DOI":"10.1007\/s11276-023-03455-w","type":"journal-article","created":{"date-parts":[[2023,7,22]],"date-time":"2023-07-22T10:01:34Z","timestamp":1690020094000},"page":"6451-6464","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":10,"title":["App-based detection of vulnerable implementations of OTP SMS APIs in the banking sector"],"prefix":"10.1007","volume":"30","author":[{"ORCID":"https:\/\/orcid.org\/0000-0003-2546-9246","authenticated-orcid":false,"given":"Amador","family":"Aparicio","sequence":"first","affiliation":[]},{"given":"M. Mercedes","family":"Mart\u00ednez-Gonz\u00e1lez","sequence":"additional","affiliation":[]},{"given":"Valent\u00edn","family":"Carde\u00f1oso-Payo","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2023,7,22]]},"reference":[{"key":"#cr-split#-3455_CR1.1","unstructured":"Authority, E.\u00a0B. (2015). Directive"},{"key":"#cr-split#-3455_CR1.2","unstructured":"(EU) 2015\/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002\/65\/EC, 2009\/110\/EC and 2013\/36\/EU and Regulation"},{"key":"#cr-split#-3455_CR1.3","unstructured":"(EU) No 1093\/2010, and repealing Directive 2007\/64\/EC (Text with EEA relevance) (2015). https:\/\/eur-lex.europa.eu\/eli\/dir\/2015\/2366\/oj"},{"key":"3455_CR2","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2021.24212","author":"Z Lei","year":"2021","unstructured":"Lei, Z., Nan, Y., Fratantonio, Y., Bianchi, A., & Talos, C. (2021). On the insecurity of SMS one-time password messages against local attackers in modern mobile devices. Network and Distributed System Security Symposium. https:\/\/doi.org\/10.14722\/ndss.2021.24212","journal-title":"Network and Distributed System Security Symposium"},{"key":"3455_CR3","doi-asserted-by":"publisher","unstructured":"Zhou, Y., Hu, L., & Chu, J. (2017). An enhanced SMS-based OTP scheme. In Proceedings of the 2017 2nd international conference on automation, mechanical control and computational engineering (AMCCE 2017), pp. 1091\u2013 1094. Atlantis Press, (2017\/03). https:\/\/doi.org\/10.2991\/amcce-17.2017.196","DOI":"10.2991\/amcce-17.2017.196"},{"key":"3455_CR4","doi-asserted-by":"publisher","unstructured":"Aloul, F., Zahidi, S., & El-Hajj, W. (2009). Two factor authentication using mobile phones. In 2009 IEEE\/ACS international conference on computer systems and applications, pp. 641\u2013 644. https:\/\/doi.org\/10.1109\/AICCSA.2009.5069395","DOI":"10.1109\/AICCSA.2009.5069395"},{"key":"3455_CR5","doi-asserted-by":"publisher","unstructured":"Eldefrawy, M.\u00a0H., Alghathbar, K., & Khan, M.\u00a0K. (2011). Otp-based two-factor authentication using mobile phones. In 2011 eighth international conference on information technology: new generations, pp. 327\u2013 331. https:\/\/doi.org\/10.1109\/ITNG.2011.64","DOI":"10.1109\/ITNG.2011.64"},{"key":"3455_CR6","unstructured":"Developers, G. Automatic SMS Verification with the SMS Retriever API. https:\/\/developers.google.com\/identity\/sms-retriever\/overview"},{"key":"3455_CR7","unstructured":"Developers, G. One-tap SMS verification with the SMS User Consent API. SMS Verification APIs. https:\/\/developers.google.com\/identity\/sms-retriever\/user-consent\/overview"},{"key":"3455_CR8","doi-asserted-by":"publisher","DOI":"10.1145\/3448609","author":"R Mayrhofer","year":"2021","unstructured":"Mayrhofer, R., Stoep, J. V., Brubaker, C., & Kralevich, N. (2021). The android platform security model. ACM Transactions on Privacy Security. https:\/\/doi.org\/10.1145\/3448609","journal-title":"ACM Transactions on Privacy Security"},{"key":"3455_CR9","doi-asserted-by":"publisher","unstructured":"Bojjagani, S., & Sastry, V.\u00a0N. (2017). Vaptai: A threat model for vulnerability assessment and penetration testing of android and IOS mobile banking apps. In 2017 IEEE 3rd international conference on collaboration and internet computing (CIC), pp. 77\u2013 86 ( 2017). https:\/\/doi.org\/10.1109\/CIC.2017.00022","DOI":"10.1109\/CIC.2017.00022"},{"issue":"1","key":"3455_CR10","doi-asserted-by":"publisher","first-page":"1","DOI":"10.3390\/jcp3010001","volume":"3","author":"MA Kazi","year":"2023","unstructured":"Kazi, M. A., Woodhead, S., & Gan, D. (2023). An investigation to detect banking malware network communication traffic using machine learning techniques. Journal of Cybersecurity and Privacy, 3(1), 1\u201323. https:\/\/doi.org\/10.3390\/jcp3010001","journal-title":"Journal of Cybersecurity and Privacy"},{"key":"3455_CR11","doi-asserted-by":"publisher","first-page":"525","DOI":"10.1016\/j.future.2019.02.045","volume":"96","author":"A Zimba","year":"2019","unstructured":"Zimba, A., Chen, H., & Wang, Z. (2019). Bayesian network based weighted apt attack paths modeling in cloud computing. Future Generation Computer Systems, 96, 525\u2013537. https:\/\/doi.org\/10.1016\/j.future.2019.02.045","journal-title":"Future Generation Computer Systems"},{"key":"3455_CR12","doi-asserted-by":"publisher","unstructured":"Ma, S., Feng, R., Li, J., Liu, Y., Nepal, S., Diethelm, Bertino, E., Deng, R.H., Ma, Z., & Jha, S. (2019). An empirical study of SMS one-time password authentication in android apps. In Proceedings of the 35th annual computer security applications conference. ACSAC \u201919, pp. 339\u2013 354. Association for Computing Machinery. https:\/\/doi.org\/10.1145\/3359789.3359828","DOI":"10.1145\/3359789.3359828"},{"key":"3455_CR13","doi-asserted-by":"publisher","unstructured":"Aparicio, A., Mart\u00ednez, M.\u00a0M., & Carde\u00f1oso, V. (2023). Vulnerabilities of the SMS retriever API for the automatic verification of SMS OTP codes in the banking sector. In Proceedings of the international conference on ubiquitous computing & ambient intelligence (UCAmI 2022), pp. 983\u2013 994. Springer. https:\/\/doi.org\/10.1007\/978-3-031-21333-5_99","DOI":"10.1007\/978-3-031-21333-5_99"},{"key":"3455_CR14","unstructured":"Developers, A. Manifest.permission. https:\/\/developer.android.com\/reference\/android\/Manifest.permission"},{"issue":"4","key":"3455_CR15","doi-asserted-by":"publisher","first-page":"2537","DOI":"10.1007\/s11276-019-01984-x","volume":"26","author":"K Muthumanickam","year":"2020","unstructured":"Muthumanickam, K., & Senthil Mahesh, P. (2020). A collaborative policy-based security scheme to enforce resource access controlling mechanism. Wireless Networks, 26(4), 2537\u20132547. https:\/\/doi.org\/10.1007\/s11276-019-01984-x","journal-title":"Wireless Networks"},{"key":"3455_CR16","doi-asserted-by":"publisher","unstructured":"Li, Z., & Feng, G. (2020). Inter-language static analysis for android application security. In 2020 IEEE 3rd international conference on information systems and computer aided education (ICISCAE), pp. 647\u2013 650. https:\/\/doi.org\/10.1109\/ICISCAE51034.2020.9236807 . IEEE","DOI":"10.1109\/ICISCAE51034.2020.9236807"},{"key":"3455_CR17","doi-asserted-by":"publisher","unstructured":"Dmitrienko, A., Liebchen, C., Rossow, C., & Sadeghi, A.-R. (2014). On the (in) security of mobile two-factor authentication. In Financial cryptography and data security: 18th international conference, FC 2014, Christ Church, Barbados, March 3-7, 2014, Revised Selected Papers 18, pp. 365\u2013 383. https:\/\/doi.org\/10.1007\/978-3-662-45472-5_24 . Springer","DOI":"10.1007\/978-3-662-45472-5_24"},{"key":"3455_CR18","doi-asserted-by":"publisher","unstructured":"Peeters, C., Patton, C., Munyaka, I.N., Olszewski, D., Shrimpton, T., & Traynor, P. (2022). SMS OTP security (SOS) hardening SMS-based two factor authentication. In Proceedings of the 2022 ACM on Asia Conference on Computer and Communications Security, pp. 2\u2013 16. https:\/\/doi.org\/10.1145\/3488932.3497756","DOI":"10.1145\/3488932.3497756"},{"key":"3455_CR19","unstructured":"Varghese, A., & Mathews, D. (2014) Securing SMS-based approach for two factor authentication. International Journal of Research in Computer and Communication Technology, 3(3)"},{"key":"3455_CR20","doi-asserted-by":"publisher","unstructured":"Zhou, Y., Hu, L., & CHu, J. (2017). An enhanced sms-based otp scheme. In 2017 2nd international conference on automation, mechanical control and computational engineering (AMCCE 2017), pp. 1091\u2013 1094. https:\/\/doi.org\/10.2991\/amcce-17.2017.196 . Atlantis Press","DOI":"10.2991\/amcce-17.2017.196"},{"key":"3455_CR21","doi-asserted-by":"publisher","DOI":"10.1088\/1742-6596\/1783\/1\/012041","volume":"1783","author":"DE Kurniawan","year":"2021","unstructured":"Kurniawan, D. E., Iqbal, M., Friadi, J., Hidayat, F., & Permatasari, R. D. (2021). Login security using one time password (OTP) application with encryption algorithm performance. Journal of Physics Conference Series, 1783, 012041. https:\/\/doi.org\/10.1088\/1742-6596\/1783\/1\/012041","journal-title":"Journal of Physics Conference Series"},{"issue":"10","key":"3455_CR22","first-page":"6192","volume":"2","author":"A Shesashaayee","year":"2014","unstructured":"Shesashaayee, A., & Sumathy, D. (2014). Otp encryption techniques in mobiles for authentication and transaction security. International Journal of Innovative Research in Computer and Communication Engineering, 2(10), 6192\u20136201.","journal-title":"International Journal of Innovative Research in Computer and Communication Engineering"},{"issue":"15","key":"3455_CR23","doi-asserted-by":"publisher","first-page":"3302","DOI":"10.1002\/dac.3302","volume":"30","author":"S Bojjagani","year":"2017","unstructured":"Bojjagani, S., & Sastry, V. (2017). A secure end-to-end SMS-based mobile banking protocol. International Journal of Communication Systems, 30(15), 3302. https:\/\/doi.org\/10.1002\/dac.3302","journal-title":"International Journal of Communication Systems"},{"key":"3455_CR24","doi-asserted-by":"publisher","first-page":"955","DOI":"10.1007\/s11276-018-1841-x","volume":"26","author":"H Luo","year":"2020","unstructured":"Luo, H., Wen, G., & Su, J. (2020). Lightweight three factor scheme for real-time data access in wireless sensor networks. Wireless Networks, 26, 955\u2013970. https:\/\/doi.org\/10.1007\/s11276-018-1841-x","journal-title":"Wireless Networks"},{"key":"3455_CR25","doi-asserted-by":"publisher","DOI":"10.1007\/s11276-021-02831-8","author":"J Chen","year":"2021","unstructured":"Chen, J., Guo, L., Shi, Y., Shi, Y., & Ruan, Y. (2021). An edge computing oriented unified cryptographic key management service for financial context. Wireless Networks. https:\/\/doi.org\/10.1007\/s11276-021-02831-8","journal-title":"Wireless Networks"},{"key":"3455_CR26","doi-asserted-by":"publisher","unstructured":"Gosavi, S., & Shyam, G.\u00a0K. (2020). A novel approach of OTP generation using time-based OTP and randomization techniques. In Data Science and Security: Proceedings of IDSCS 2020 (pp. 159-167). Springer Singapore. https:\/\/doi.org\/10.1007\/978-981-15-5309-7_16","DOI":"10.1007\/978-981-15-5309-7_16"},{"key":"3455_CR27","doi-asserted-by":"publisher","unstructured":"Aloul, F.A., Zahidi, S., & El-Hajj, W. (2009). Two factor authentication using mobile phones. In 2009 IEEE\/ACS international conference on computer systems and applications, pp. 641\u2013644. https:\/\/doi.org\/10.1109\/AICCSA.2009.5069395","DOI":"10.1109\/AICCSA.2009.5069395"}],"container-title":["Wireless Networks"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s11276-023-03455-w.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1007\/s11276-023-03455-w\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s11276-023-03455-w.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2024,11,8]],"date-time":"2024-11-08T05:08:46Z","timestamp":1731042526000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/s11276-023-03455-w"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,7,22]]},"references-count":29,"journal-issue":{"issue":"7","published-print":{"date-parts":[[2024,10]]}},"alternative-id":["3455"],"URL":"https:\/\/doi.org\/10.1007\/s11276-023-03455-w","relation":{},"ISSN":["1022-0038","1572-8196"],"issn-type":[{"value":"1022-0038","type":"print"},{"value":"1572-8196","type":"electronic"}],"subject":[],"published":{"date-parts":[[2023,7,22]]},"assertion":[{"value":"10 July 2023","order":1,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"22 July 2023","order":2,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}}]}}