Verify phone number

[oscarb]

The list of users one can share content with should be the users phonebook contacts that also have the app.

To find out which contacts that are also users, each user should be associated with a phone number.

When the user first starts the app and enter their phone number, this phone number should be verified.

[oscarb]

Programmatically:

• http://stackoverflow.com/a/2480307
• http://stackoverflow.com/a/15428875
• http://stackoverflow.com/a/14386766
• http://stackoverflow.com/a/20134624

Free service?

• Digits
  • https://docs.fabric.io/android/digits/overview.html
  • Is Twitter digits login (sms auth code) insecure?
• Auth0
• Account Kit
  • Passwordless Login with Facebook Account Kit
• RingCaptcha - Real People in your apps

Services that costs:

• CheckMobi - Cheap phone verification via SMS, Voice Call, Missed Call
• Android Flash Call Verification | Sinch
• Android adding SMS Verification Like WhatsApp - Part 1
• Pricing - Cognalys
• Foneverify - Simple & easy to use Phone Number Verification API from FoneVerify
• Cognalys - Free Mobile Number Verification Library For Mobile Platforms And Web

Integrations:

• Parse
  • ParsePlatform/AnyPhone: Phone-Based login accounts with Parse + Twilio
  • Phone-Based Login, Can You Dig It?
  • smshuja/parse-server-accountkit-auth: Facebook AccountKit Authentication module for Parse Server
  • brycehamrick/parse-passwordless-authentication: An example of how to use Parse's Cloud Code to implement Passwordless Authentication
• Firebase
  • deltaepsilon/firebase-digits: A Firebase integration for Twitter Digits using the JavaScript.
  • Authenticate Firebase API with SMS

Security;

• Ensuring Unique Mobile Numbers with Firebase
• Firebase custom auth with Digits – Techfiles
• The Difficulty Of Private Contact Discovery

More reading:

• Android SMS Verification App - Phone Verification with OTP
• Nexmo Docs - Verify
  • Nexmo Verify SDK - User authentication for apps - Nexmo
• Email Address and Phone Number Verification
• googlei18n/libphonenumber: Google's common Java, C++ and JavaScript library for parsing, formatting, and validating international phone numbers.

UI Inspiration

• WhatsApp FAQ - How do I verify my number in WhatsApp?

Conclusion: Send SMS from the users phone to the users phone seems to be the most practical and cheap way to achieve this.

[dbosk]

What level of security do you want? There are a lot of possible attacks on the SMS-based verification systems.

E.g. with the scheme in your conclusion I can easily spoof the phone number (enter wrong phone number, app sends SMS, I manually craft the reply on another phone and send it back) and read someone else's Flowlist.

[oscarb]

A few ideas that could increase the security in a solution where the device sends a text to itself, and also reads the code from the incoming text. This would however require permission from the user to read incoming texts from the moment the code is sent until a set time has passed.

• Invalidate the generated code after a short time, say less than 1 minute
  • Since the app will read the code itself from the text and provided there is a network connection this can be done within seconds as the device sends the message to itself
  • Requires the attacker to act fast.
  • Requires the user to enter the code fast or send a new code if SMS can't be detected or read automatically.
  • Verify the phone number of the sender of the text with the phone number entered by the user
  • Requires the attacker to spoof SMS meta-data
  • Requires the user to verify the device that is being used, i.e the user can not start using the app from a device that is not receiving texts for the given number
• Hide invisible characters in the text that the app looks for when receiving the text
  • Makes it more difficult spoofing the message just by looking at it and manually crafting a copy
  • The attacker would be aware of this security measure since the code is open source
  • If the text can't be read automatically, then there must be a way for the user to enter the code which in turn would defeat this idea

[dbosk]

Some comments below.

On Fri Nov 25 13:38:27 2016, Oscar Björkman wrote:

A few ideas that could increase the security in a solution where the device sends a text to itself, and also reads the code from the incoming text. This would however require permission from the user to read incoming texts from the moment the code is sent until a set time has passed.

• Invalidate the generated code after a short time, say less than 1 minute

If you implement this in a proper way, then you do not need this limitation. You can cryptographically sign the code that you send, then you only need to verify the signature of the received code. This signature is virtually impossible to forge. The purpose of the code is then to prevent re-use of old signed codes.

• Since the app will read the code itself from the text and provided there is a network connection this can be done within seconds as the device sends the message to itself
• Requires the attacker to act fast.
• Requires the user to enter the code fast or send a new code if SMS can't be detected or read automatically.
  • Verify the phone number of the sender of the text with the phone number entered by the user
• Requires the attacker to spoof SMS meta-data

With the signature scheme, the system cannot be attacked even if the adversary can spoof SMS meta-data.

• Requires the user to verify the device that is being used, i.e the user can not start using the app from a device that is not receiving texts for the given number

However, sometimes it is actually desirable to register another device, e.g.\ a non-phone device such as a tablet.

• Hide invisible characters in the text that the app looks for when receiving the text
  • Makes it more difficult spoofing the message just by looking at it and manually crafting a copy

Security by obscurity, does not add anything considering what you write just below.

• The attacker would be aware of this security measure since the code is open source
• If the text can't be read automatically, then there must be a way for the user to enter the code which in turn would defeat this idea

The problem with the signature is that it will likely be long to enter manually.

-- You are receiving this because you commented. Reply to this email directly or view it on GitHub: https://github.com/oscarb/flowlist/issues/1#issuecomment-263024944

[oscarb]

In Android O there seems to be a dedicated method for sending SMS tokens, see createAppSpecificSmsToken()

Needs further investigation.

[oscarb]

Solution

Facebook Account Kit

Account Kit provides a secure and free method to get users and their phone numbers into the app.

Pros

• External service built and maintained by Facebook
  • Less error-prone
  • Instant verification if users are logged into Facebook on their Android device
• Phone number is normalized and passed from Facebook servers to Flowlist backend
• Free until August 2018 and for apps with less than 100,000 SMS messages per month after that
• More secure as the code is generated on and then verified with Facebook servers

Cons

• Less customization of UI than a native solution but still enough to provide good UX

See details regarding the flow in the wiki: https://github.com/oscarb/flowlist/wiki/Login-flow

[oscarb]

Interesting read how to verify phone numbers using built-in API:s in Android: http://android-developers.googleblog.com/2017/10/effective-phone-number-verification.html https://developers.google.com/identity/sms-retriever/overview

[dbosk]

Yes, much better than using Facebook, as outlined in the wiki :-P

On Sat 14 Oct 2017 11:27:59 GMT, Oscar Björkman wrote:

Interesting read how to verify phone numbers using built-in API:s in Android: http://android-developers.googleblog.com/2017/10/effective-phone-number-verification.html

[oscarb]

Investigate tru.id for verifying phone numbers since Facebook Account Kit has been deprecated and shut down.

https://github.com/tru-ID/tru-sdk-android https://developer.tru.id/tutorials/passwordless-auth-android