7

Problem Statement: User X wants to Log In or Signup to App A and App B.

Considering:-

  • OS Environment: Android
  • User X, Device D, App A and App B(App A and App B are two different organizations)
  • App A and App B are on the same Device D
  • App A and App B use the authentication SDK “SDK1”.

Approach 1: User X authenticates itself on App A via Mobile Number verification using OTP. User X authenticates itself on App B via Mobile Number verification using OTP.

Approach 2: User X authenticates itself on App A via Mobile Number verification using OTP. User X authenticates itself on App B by using the information from authentication on App A.

I am interested in exploring Approach 2 and want to know it’s feasibility and security implications.

Let's Deep dive into Approach 2 -

  1. User X authenticates itself on App A (that uses SDK1) by Mobile Number verification using OTP.
  2. SDK1 stores the information of SIM-ID and a unique Id in a file F on the device (in a shared space to which all Applications have access to), And sends this information to the server. Note: This file “F” is encrypted using a Symmetric Algorithm(e.g. AES); the key is remotely stored only at the server.
  3. User X tries to login into App B(that uses SDK1), the SDK sends the encrypted file F to the server where the server decrypts the file using the key generated at step 2 and validates the SIM ID and Device ID(SIM ID is kept in case I want to ensure that SIM is present in the device only). If the file data matches the data stored on the server then Server assumes that there is no need to do user authentication for App B again, as it has been already done during authentication for App A.

Problem I see in this approach:-

  1. If the File F is stolen then somebody else can impersonate user X and that can lead to identity theft(it can happen even if the file is encrypted) and security breach.
  2. All the applications will have access to this file so anybody can delete it.
  3. What should be the best option for device ID? Ad ID, Session ID, or something else?

PS: I don’t want to prompt the user for extra permissions.

Question- What are the solutions to the problem I listed above? Is there any other Security/Feasibility problem in implementing such an approach in the Android environment?

7
  • i'm not entirely sure if you'll find an answer here, perhaps rather on a security community ? not sure Mar 8 at 14:04
  • why sdk store file on shared storage rather then private storage? Mar 8 at 14:07
  • @a_local_nobody I will post there too, can you please recommend a forum for this type of query. Mar 8 at 14:08
  • 1
    i'd imagine https://security.stackexchange.com/ is where you'd be looking to ask about security issues specifically, but be sure to read how that community works first Mar 8 at 14:11
  • 1
    You may want to look into authentication using tokens, especially using frameworks such as OAuth 1/2, OpenID etc. I'm not sure if you are including those in "OTP-less authentication" or not, OTP is an overloaded acronym / term. And yes, please check or ask on Information Security This is a bit too application specific for Cryptography. Mar 8 at 15:25

0

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy

Browse other questions tagged or ask your own question.