Vulnerabilities of the SMS Retriever API for the Automatic Verification of SMS OTP Codes in the Banking Sector

One of the ways to authenticate users of mobile devices is by sending One Time Password (OTP) codes via SMS messages. In order to facilitate the use of these codes by customers, Google has proposed APIs that allow the automatic verification of the SMS messages without the intervention of the users themselves. One of these APIs is the SMS Retriever API for Android devices. This article presents a study of this API. Different scenarios of interaction between mobile apps and SMS OTP servers are posed to determine which implementations of the SMS Retriever API are vulnerable. The study presented here focuses on Spain’s banking sector. The results show that there are vulnerable implementations which would allow cybercriminals to steal the users’ SMS OTP codes. The desirable equilibrium between ease of use and security needs to be improved in order to maintain the high level of security which has traditionally characterized this sector. The proposed methodology, applied here to this particular sector (banking), is nevertheless simple enough to be applied to any other sector. One of its advantages is that it proposes a method for detecting bad implementations of the SMS Retriever API on the server side, based on analyses of the apps, which would make it easily applicable.