All geek questions in one place

Authentication scheme for an Android application: when the SIM card is locked or replaced by another, the application stops working

I need to implement a convenient way to determine if a mobile application is being used by a valid client or not. My clients told me that if they lose their mobile phone, they will contact the operator and block the SIM card.

Thus, it seems natural to associate authentication with the validity of the SIM card (the application works as long as the correct SIM card is present and is not blocked). Then, in case of loss, the client only needs to block the SIM card, which he or she will do anyway (since Internet banks send an SMS message to approve transactions on a mobile phone).

I tried to read the data associated with the SIM card, but it only works on some phones and not on others (sometimes I get only blank lines instead of the IMEI number).

How can I implement an authentication mechanism that

  • easy for the user (does not require the user to generate / enter a new password),
  • provides the application with information about whether a SIM card is currently installed
    • the same as the SIM card that was there when you first started the application and
    • not blocked?

If this is not possible, what are the authentication alternatives (except for email / password and SMS confirmation phone number)?

Update 1 (08/11/2013 14:17 MSK): One of the obvious solutions is to use the phone number as the login name and the 6-digit number with the server as the password.

Then authentication will work as follows:

  • At the first start, the user enters his mobile phone number.
  • The server sends him or her a message (SMS) with a 6-digit password.
  • The user enters this password, and the application starts to work.
  • At regular intervals, the application asks the user to update the password (new passwords are also delivered via SMS).

What do you think of this option?

Is there any way to improve?

+4
source share
2 answers

If you lock your application with the properties of a SIM card and require that these properties be presented to unlock the application, have you thought about where to store these properties in the application (hard disk, database, file, settings, ...)? Or are you thinking of contacting the server for verification? In both cases, you may find yourself in a difficult solution with possible security flaws. The SIM serial number is something unique, but at the same time it is publicly available, you cannot rely on this property to block your application.

The TelephonyManager class is a gateway for accessing the properties of a SIM card (this class also provides users with privacy in several ways). There are currently no Android APIs that can perform cryptographic operations on a SIM card. But, since your client can contact the operator, you can ask the operator to sign your application. In this case, you can use the SIM card as a secure element. This thread is being discussed. Based on a limited number of attempts, a PIN is another way to implement simple authentication to access your application. You can implement this at the application level without using a SIM card.

Hope this helps.

+5
source

in order. It looks like you have most of the flow already tuned into your mind. I add a few specific things:

1. Registration

Users will need to explicitly read the SIM serial number, which is physically printed on the side of the SIM card and must tell you this serial number (in case you register users manually and offline) .. or users can register themselves online by entering this specific serial number SIM (if your registration process is connected to the network and controlled by the user). It will only be time recording.

I am not sure of any search for the serial number of the SIM card without removing the SIM card from the phone. You can study it more.

2. Authentication

Now, every time a user launches your application, you can read information related to the SIM card, such as the serial number of the SIM card, operator code, operator name, operator country code, etc. and transmit this information to your web server for authentication.

To get these details you need to use the functions getSimOperatorName() , getSimSerialNumbe() , getSimCountryIso() TelephonyManager .

Please note that since @rajesh has already commented that there is no IMEI. It is used to identify the device, not the SIM card, so it is not needed if you want authentication to be specific to the SIM card.

3. Verification

In addition to authentication, you will have to implement the logic to see the status of the SIM card (perhaps after each specific time interval or only at the time when your application is used).

You will need to use the getSimState() function for TelephonyManager to read the states:

SIM_STATE_NETWORK_LOCKED - Indicates that the SIM card is blocked by the network operator. (disconnection, when the user had to inform about SIM blocking after a lost SIM card event. SIM_STATE_ABSENT - indicates that there is no SIM card.

Accordingly, you can exit the application by displaying appropriate messages to the user.

This approach can be modified and used according to your requirements. Hope this helps you.

0
source

Source: https://habr.com/ru/post/1496286/

More articles:


All Articles