网络与信息安全学报 ›› 2020, Vol. 6 ›› Issue (6): 137-151.doi: 10.11959/j.issn.2096-109x.2020081

• 学术论文 • 上一篇    下一篇

移动平台典型应用的身份认证问题研究

张效林1,2,谷大武1,2,张驰1   

  1. 1 上海交通大学电子信息与电气工程学院,上海 200240
    2 西安电子科技大学网络与信息安全学院,陕西 西安 710126
  • 修回日期:2020-07-03 出版日期:2020-12-15 发布日期:2020-12-16
  • 作者简介:张效林(1998– ),男,山西临汾人,上海交通大学硕士生,主要研究方向为信息安全与密码学|谷大武(1970– ),男,河南漯河人,博士,上海交通大学教授、博士生导师,主要研究方向为密码学与系统安全|张驰(1991– ),男,山西太原人,上海交通大学博士生,主要研究方向为硬件安全、基于机器学习的侧信道分析
  • 基金资助:
    国家电网有限公司总部科技项目(2019GW-12)

Issues of identity verification of typical applications over mobile terminal platform

Xiaolin ZHANG1,2,Dawu GU1,2,Chi ZHANG1   

  1. 1 School of Electronic Information and Electrical Engineering,Shanghai Jiaotong University,Shanghai 200240,China
    2 School of Cyber Engineering,Xidian University,Xi’an 710126,China
  • Revised:2020-07-03 Online:2020-12-15 Published:2020-12-16
  • Supported by:
    Security Protection Technology of Embedded Components and Control Units in Power System Terminal(2019GW-12)

摘要:

近年来的研究表明,针对USIM卡的攻击手段日益增多,在5G环境下攻击者也能使用复制的USIM卡绕过某些正常应用的身份认证,进而获取用户信息。在USIM可被复制的条件下,研究了移动平台上典型应用的身份认证流程,通过分析用户登录、重置密码、执行敏感操作的应用行为给出身份认证树。在此基础上,测试了社交通信、个人健康等7类58款典型应用,发现有29款认证时仅需USIM卡接收的SMS验证码便可通过认证。针对该问题,建议应用开启两步验证,并结合USIM防伪等手段完成认证。

关键词: 移动应用, USIM复制, SMS, 身份认证, 移动应用测试

Abstract:

Recent studies have shown that attacks against USIM card are increasing,and an attacker can use the cloned USIM card to bypass the identity verification process in some applications and thereby get the unauthorized access.Considering the USIM card being cloned easily even under 5G network,the identity verification process of the popular mobile applications over mobile platform was analyzed.The application behaviors were profiled while users were logging in,resetting password,and performing sensitive operations,thereby the tree model of application authentication was summarized.On this basis,58 popular applications in 7 categories were tested including social communication,healthcare,etc.It found that 29 of them only need SMS verification codes to get authenticated and obtain permissions.To address this issue,two-step authentication was suggested and USIM anti-counterfeiting was applied to assist the authentication process.

Key words: mobile application, USIM cloning, SMS, authentication, mobile app testing

中图分类号: