Enhancing the Security of One-Tap Authentication Services via Dynamic Application Identification

Abstract

The One-Tap Authentication (OTAuth) service enables users to quickly log in or sign up for app accounts using their phone number. OTAuth provides a more secure and convenient alternative to password-based and Short Message Service (SMS)-based authentication schemes. Consequently, the OTAuth service has been adopted by numerous Mobile Network Operators (MNOs) worldwide. However, a high severity vulnerability remains unaddressed in the OTAuth service, which allows an attacker to access a victim’s various app accounts, posing a significant risk to user privacy and data security. In this paper, we present LoadShow, which, to the best of our knowledge, is the first security-enhanced OTAuth scheme to address this vulnerability. We propose a novel dynamic application identification technique that aims to address the root cause of this vulnerability, i.e., the inability of MNOs to distinguish between different applications on the same device. Specifically, application identification is based on the hardware load side-channel and captures the unique CPU and GPU load characteristics of applications through the sequence of timing values of fingerprinting functions. We evaluate the effectiveness of LoadShow by accuracy, False Positive Rate (FPR), and True Positive Rate (TPR). We also evaluate its multi-platform compatibility on devices with different architectures and models. LoadShow achieves over 90% accuracy, with a TPR exceeding 90% and an FPR below 1%. The evaluation results demonstrate LoadShow’s capability to effectively differentiate between applications on a device, defend against app impersonation attacks, and reliably identify legitimate applications.