General security

An Ultimate Guide to Secure Mobile Authentication

Irfan Shakeel
August 10, 2016 by
Irfan Shakeel

In the early stage when the first mobile phone was introduced, it was owned, managed and secured to business standards. Now mobile devices have grown in billions that are used and owned by different people and organizations. Whereas, many devices that are operating critical task are secured by different security solution providers and techniques.

The concern for authorization came under consideration to companies when different changes regarding the use of content, application, data and personal information over mobile devices are introduced to different device's platforms like the iPhone and Android in 2008. With these changes, the organizations started to worry about the access control strategy and techniques, that who can access and control the information on the device.

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

For that many different strategies have been adopted that somehow to some extent are successful. These techniques include:

  • Password string
  • Non-text passwords
  • Biometric

Password string

Usually, password strings refer to as a set of characters that are used to authenticate user along user ID. The systems with these types of user authentication prompt a user to enter ID and password to gain access. Many devices and applications use these types of user authentication as they are easy to implement and use.


Apart from its implementation and usability, password strings also have some serious security flaws.

  • Passwords can easily be guessed, shared or misused.
  • Brute-force attack can be used to get password strings.
  • Many exposed password lists are already available on the internet.
  • Password leaves tap prints, so it's easy to guess.

Bypassing Password authentication

There are different methods used to bypass password authentication over mobile devices. Passwords can easily be bypassed using different software and attacks that include:

Password Guessing

An attacker can guess the password by simply trying different combinations that can be your date of birth, employee ID, family member's name, etc. It requires physical access to the device. It can also be done by guessing the combination of the tap prints. As many devices have touch screens, so touch can leave tap prints that can be beneficial to guess the passwords.


Brute force attack

In this attack, the attacker is required to have physical access to the mobile device rather than allowing an attacker to attack remotely. Brute force attack tries a set of passwords to unlock the device. It is a time-consuming process as it depends on the complexity of the password. Tougher the password, more the time required to try the whole dictionary of passwords.

This process can take between 30 minutes to a month to break into mobile authentication or its apps. Password string is checked until it matches the valid password and gets unlock.

Tools: Clockwork Recovery

This tool allows us to recover the device.
But it can be used to hack the device as it does not acquire a password while accessing the shell on the phone. The Shell contains the password for the device. Once we have a shell, we simply replace the gesture.key file with an empty file. This will leave the device password free so anyone can access.


Without Tool Method

1) Connect the phone using USB data cable; phone should be turned on.

2) Open cmd in windows and type:

adb shell rm /data/system/gesture.key

That's it; you should be able to use the device without any password now. If it asks for a password, simply try any random password.

Prevention

For the prevention of password attacks, we can restrict our devices to a limited number of attempts. After that pin code will be required to access the phone. While failed attempt will lock the phone and no one will be able to access it. In some cases, it wipes the phone, depends on the nature of the information that device contains. It's up to us that how we configure our device authentication security. Only by restricting the failed attempt can prevent attackers to bypass the string password authentication.

Users typically pick passwords that are easy to recall, so it is recommended to use strong passwords that contain no sequence or name or dates that are easily guessable.


Non-Text Passwords

The non-text passwords on mobile and other devices are based on repeatable behavioral biometric features like speech generated key, voice frequency, timing and force of keystroke. Non-text password aims to achieve two goals:

  • Breaking passwords will be no easier.
  • For some or most, breaking them will be harder.

Speech Generated Keys:

It gathers behavioral measurements. User utters pass-phrase, and then the system performs front end signal processing and record measurements about voice features.


Password hardening based on keystroke dynamics

Very similar concept, the system begins as secure as a traditional password system and begins storing values in a secret-sharing table that are not repeated consistently.

Bypassing Non-Text Passwords

The hackers today are way more capable of impersonating your voice to do harm to your online presence. A voice recognition attack bypasses security mechanism using a cloned speech command/ your sample voice or similar methods to impersonate your voice which in turn gives such hackers access to your important files and expose your privacy and security at an unimaginable risk.

There are also many types of software that are used to manipulate the voice so it can be used to impersonate the victim's voice.


Prevention

Voice-activated technology has already been blacklisted because it is vulnerable to attacks. Voice reorganization can easily bypass by cloning speech command and through software. So avoiding these types of authentication techniques on your mobile devices can make your device insecure.

Biometric Authentication

Biometric authentications are usually used for multi-factor authentication that involves at least two methods; it can be something like a password, one time generated string, or something you are (Fingerprints). Biometric authentication covers fingerprint, iris, and handwritten signature scans and so on.

Fingerprint Scan

Everyone has marks on their fingers. They cannot be removed or changed oreover; each fingerprint is different from any other in the world. These marks have a pattern, and this pattern is used to authenticate devices like mobile, back lockers and other confidential and personal devices.

Bypassing Fingerprint Scan

Fingerprint scans technique is most famous technique so far, that is adopted by many mobile companies. Apple and Samsung have introduced this feature in their devices to make it more secure. But, hackers somehow can bypass this feature, to bypass fingerprint scan two popular methods have been used that includes:

  • Fake finger
  • Using loopholes

Fake Finger

Fake fingerprint to bypass fingerprint scanner for iPhone is made by a German group of hackers "Chaos Computer Club". They demonstrated to create a fake fingerprint from a photograph of the user's finger. That can be easily obtained from the reflecting touch screen of the mobile device.

A similar process can be used against a Samsung device, with the latest release of new mobile devices like iPhone 6, Samsung S6 and others; the sensitivity of the readers is increased, that means fake marginal fingerprints will no longer work.

Image reference

Using Loopholes

The fingerprint scanner can be bypassed by using loopholes in the mobile device. In iPhone operating system, Jose Rodriguez discovered a way to bypass the fingerprint scanner and get to the phone's contacts and photos through a slightly complicated series of button presses: Control Center > Clock > hold Power button > Cancel on shutdown screen > double-tap the Home button to bring up multitasking view and access contacts, camera/gallery and more.

Preventions:

To prevent these biometric bypass techniques, we can disable control center option that enables us to access some feature when the mobile device is locked. While fake fingerprint, is no longer can be beneficial to bypass the scanner as new hardware are more sensitive to scan.

Authenticated users can access all the applications available to their mobile devices. An authentication bypass can ruin their privacy, social life and personal credentials that are intolerable. Most of the authentication attacks are done physically, so be aware of whom you are sharing your device with. Select best possible authentication methods like "multi-factor authentication" that surely have a major impact on mobile device usability and cooperate network security. Furthermore, regularly conduct a vulnerability assessment, device update and obtain user feedbacks before settling for a mobile authentication strategy.

Irfan Shakeel
Irfan Shakeel

Irfan Shakeel is the founder & CEO of ehacking.net An engineer, penetration tester and a security researcher. He specializes in Network, VoIP Penetration testing and digital forensics. He is the author of the book title “Hacking from Scratch”. He loves to provide training and consultancy services, and working as an independent security researcher.