When the first message came, I didn't think twice about it. I responded to my friend's SOS sent over the encrypted messaging app Signal, and continued my holiday.
It was only when I was on my way home, in a car I booked with the Lyft ridesharing app, that I realized that my phone was behaving unexpectedly. Just before leaving for vacation, I'd swapped out the SIM card in my Android phone for a different one. For the past few days, I'd had a different phone number, yet I'd seen all my messages on Signal and my Lyft driver had picked me up without any trouble. Different phone number, same hardware.
When I had initially installed the apps on my phone, both of them had sent a code via SMS message to verify the phone number. Visually, both apps appear to use the phone number as an identifier, and displays it on the screen with my account information. Other users find me on the service using my number, and, at least in the case of Lyft, my phone number identifies me to customer service. However, based on conversations with security researchers, careful scrutiny of the app documentation, and close monitoring of the apps over the past five months, it's clear that the phone number isn't being used to verify identity. Or, at least not in the way users think of identity.
Is our identity on our mobile devices tied to our phone number, our hardware, or a combination of both? For some apps, the answer seems to be simultaneously both, and neither. While I focused on Lyft and Signal, the question of how identity is defined in the mobile app world is a broad one.
There is no vulnerability, but when apps don't behave the way users expect, we are more likely to make mistakes.
As a ride-sharing app, Lyft has two types of users, the drivers and the passengers. Passengers and drivers can contact each other directly if there is a problem with pickup, for example. Having the correct phone number seems like an important feature. While the Lyft required phone number verification the first time I signed up for the app, it did not notice when I changed the SIM card. The app continued to work fine whenever I started the app, requested rides, and paid the fares. It used the phone's features to send and receive voice calls and text messages, but used the phone number associated with the account, not with the device.
Is our identity on our mobile devices tied to our phone number, our hardware, or a combination of both? For some apps, the answer seems to be simultaneously both, and neither.
After four weeks or so, the app logged out and prompted me to set up a profile as if I was a brand-new user, so the app does perform some kind of a check. It wasn't apparent, though, why it took so long, and there was no notification explaining why it had logged me out.
Signing up at this point creates a brand-new account, even though the hardware is the same, because the phone number has changed. Alternatively, I could put the original SIM card into a different phone to receive the SMS message with the verification code, and then enter that code into this phone to my account back on the device. Until the next four-week check.
"As long as I could enter the secret code it [the app] texted to the number I entered, it was happy," says Chester Wisniewski, a security researcher with Sophos Labs who confirmed what I was experiencing.
The phone number verification relies entirely on the code as entered by the user, and is entirely divorced from the number assigned to the device. On one hand, this makes sense, as Lyft lets people use the app on tablets and via the Web browser. On the other hand, when users on both sides of a transaction rely on the phone number to communicate, it is disturbing just how much is left to chance. I can send messages to the driver saying, "Where are you?" but all the replies would show up on a different device. If the user intended to use the app this way, that's all fine, but it is still a messy implementation.
Let's shift gears for a moment to Signal, the encrypted messaging app developed by Open Whisper Systems and now managed by the newly-formed non-profit Signal Foundation. Signal is the security community's gold standard for encrypted communications, and its underlying protocol for end-to-end encryption is used by other messaging apps, such as WhatsApp and Facebook Messenger. When Signal is originally installed on the phone, the app uses the phone number and hardware information to generate a unique encryption key. This is a one-time handshake and ensures that both sides of the conversation are who they say they are.
If the Signal user gets a new device and installs the app again, everyone who has previously communicated with the user sees the following message in the app: "Your safety number with
[user's name] has changed." This makes sense, since the app needs to perform another handshake with the new key generated from the changed hardware information. This message doesn't appear when the phone number changes and the hardware stays the same, since the app is not being forced to perform the handshake again. As long as I don't put the SIM card associated with the phone number into a different device and install Signal, this app on this phone will continue to work in perpetuity.
That's fine, as long as I keep that SIM and phone number. If I ever cancel that account, the mobile carrier can assign that number to someone else, and if that person ever installs Signal, I am in trouble. Signal would negotiate a new key with that new device and prompt my contacts that my safety number has changed. Messages originally intended for me would cease to come to my device and go to the new device, Wisniewski says.
As a user, we assume the app is using our phone number as part of our identity, but it appears the number is largely irrelevant to the app's authentication scheme after initial account creation. Signal (the app) hashes the phone number and broadcasts it as a globally unique identifier to all other devices using the Signal protocol. The app looks at all the phone numbers saved in the user's contacts and checks to see if any of them are being broadcast by other devices. If a number is found, then the app tells the user that person is a Signal user. Signal doesn't actually have information about the contact--the name displayed in the app is the same as what the user has saved on his or her phone.
The phone number is basically a username; its value is making the app easier for users.
As far as the Signal app on my phone was concerned, it was broadcasting the same "username," which was why I was able to keep using the app and my contacts did not see any warning messages. In fact, when a contact tried to send a message through Signal to the new number, the app displayed an error saying that phone number was not registered with Signal. In fact, take the SIM card out, and Signal will keep continue delivering and receiving messages, Wisniewski found.
In some cases, if my phone is stolen, the attacker can conceivably swap out the SIM card Since WhatsApp relies on the Signal protocol to handle the end-to-end encryption, it makes perfect sense that it, too, behaves similarly to the Signal app. Like Signal, WhatsApp will happily run on a device with no valid SIM card as long as the account is already created. You just verify the WhatsApp with the code received on the other device, says Christoph Hebeisen, a senior manager with mobile security company Lookout's security intelligence team, who also helped look at what was happening.
In short, Signal uses the phone number for identity, not authentication. With Lyft, it is hard to tell, because while it seems like Lyft doesn't use the phone number, it says in the documentation that the only way to change the number associated with the account is by calling customer service. It isn't clear how the customer service representative verifies identity to make the change. The app also lets users create an account without first verifying the email address, so it is possible for Lyft to have a user in the system without a valid email address.
Users view phone numbers differently from how mobile developers use phone numbers. The developers are using the phone number as a way to identify users when initially creating the account, but it is an imperfect system because the developer doesn't control the address space and cannot rely on it as a permanent identifier. One of the reasons the developers don't know the number has changed hands until someone else attempts to register it is because the mobile operating system blocks the app from accessing certain pieces of information. For example, iOS now hides phone numbers from the app itself, so the app really has no way to know the number has changed unless it uses an external verification method like Signal does, says Wisniewski.
The phone number is basically a username; its value is making the app easier for users.
The reason for using the phone number to handle some aspects of identity boils down to the decisions the developers make about app design and usability. SMS messages, while imperfect, can be used as a way to verify the user is the owner of the number. Even if the phone is lost or stolen, the user can get a new phone and get the same number back from the carrier.
"A phone number is an easy-to-verify handle to connect an account to a real person," says Hebeisen.
Messaging apps such as Signal and WhatsApp let users find each other using phone numbers to make the transition away from other apps (and the built-in messaging app) as seamless as possible, says Hebeisen. Your contacts already have your phone number, and you already have theirs, so it makes sense to use what everyone already knows and not force anyone to learn new usernames or some other identifiers.
That ease of use may be one of the reasons why apps aren't regularly monitoring the SIM card. For messaging apps, making the app stop working because the SIM card has changed means contacts can no longer contact you through the app. Not automatically updating the number at least doesn't force an immediate change and gives users time to communicate to their contacts.
"That would be an inconvenience to which they don't want to expose their users," Hebeisen says.
Using the phone number as a username that doesn't actually do--or mean--anything isn't just restricted to Lyft and Signal. Apple's iMessage looks a lot like Signal in that it generates keys associated with the user and the phone number but its verification problems are worse. That key is stored centrally in Apple's ecosystem and can be accessed by every Apple device with iMessage to find other iMessage users. All communications between Apple devices are encrypted.
All great, until the user switches to Android. At this point, Apple users can no longer use iMessage to reach that user. Even worse, there is no way to tell iMessage that the user is no longer using iOS. The senders never see an error message saying the messages aren't being delivered. All those messages continue to be sent, but never delivered, and stored on the server to be delivered someday, when the phone number comes back to iOS.
"iMessage is another mess onto its own," Wisniewski says, noting that while there is an unregister process, it's not well-publicized.
This disconnect in how phone numbers are viewed isn't a vulnerability, but still can result in poor decision-making and potential abuse. Phone numbers can be recycled by carriers after the user cancels the account, at which point it is the user's responsibility to update the information on the accounts. However, phone number theft is real. There are public cases of attackers social engineering a cellular company's customer service representative to get a new SIM card issued for an account the attacker doesn't own. Major mobile carriers now ask users to set up a PIN on their accounts to prevent SIM card fraud.
"It appears to be easy to do as all you need is a willing/susceptible representative at any cellular phone store," says Andrew Blaich, a security researcher with mobile security company Lookout.
There are security implications to having your phone number hijacked and somebody else receiving your SMS messages and phone calls, says Hebeisen. With Lyft, the risk is having someone intercept your ride. But if apps that send password reset tokens or two-factor authentication vis SMS messages aren't careful about how they handle user identity and phone numbers, users can wind up losing control of their account.
Signal has a way to check when it looks like another person is trying to use an existing account, and warns all the contacts, "which is why it is so important when receiving that message [about the safety number being changed] to verify the secret number out of band," says Wisniewski.
The challenge of working with phone numbers goes beyond mobile: There is no central way for anyone to identify themselves online. The lack of a global identifier means mobile developers have to cobble together identity out of multiple components. That isn't going to change until we--as an industry--figure out how to prove who we are who we say we are, and restricting authentication to only those people who have proven their identity.