System Design to secure OTP from Eavesdropping Apps

System Design to secure OTP from Eavesdropping Apps

Now a days, almost all the mobile apps ask for SMS & File permissions. And this is one of the mandaory permissions for some app to run. Some apps ask this permission so that they can fill the OTP their own so you relax for a few seconds and save your effort in typing 5-6 letters.

But have you ever thought that if they can read one msg then they can read other messages too. And those messages can have very important information like credentials, financial information etc.

Through this article, I’m sharing a technical thought that can stop apps asking for SMS permission for one time password only. It will also build confidence in user to use apps which requires minimum permissions.

As you can see in the above picture, in this solution, we have a SMS Gateway that controls SMS in a device. An app that needs SMS permission to read OTP will generate an unique token and send it to it’s backend server.

User will receive the OTP via SMS that include the unique token generated by app locally on the device. This token is also shared by the SMS controller app so that SMS controller or gateway app can share the message with the requester app.

To extend this solo thought further, the dependency from mobile network can be removed and SMS gateway can be replaced with OTP Gateway that can be used just like OAuth works.

If you really like this thought, please share it with others. If you’re implementing it your own, I would be happy to know about that. If you want to discuss further on this topic, let’s connect on our discussion forum.

Your feedback is really important. So I can improve my future articles and correct what I have already published. You can also suggest if you want me to write an article on particular topic. If you really like this blog, or article, please share with others. That's the only way I can buy time to write more articles.

Amit Author & Maintainer of many opensourse projects like fast-xml-parser, imglab, stubmatic etc. Very much interested in research & innovations.