Flash SMS should not be readable when phone is locked [answered]

asked 2014-01-23 19:07:22 +0300

326 ●6 ●11 ●16

updated 2014-01-24 18:54:03 +0300

When a OTP message is sent to the phone it is displayed directly on (or perhaps above) the lock screen. This is obviously a security issue as OTP messages are used for identification/verification. If the message can be seen without unlocking the device someone could easily login to your webmail/company network/internet bank/whatever by just knowing their login user and manage to "borrow" your (locked) phone for a few minutes.

EDIT: (disclaimer) I must admit that I'm not entirely certain on this, as I don't know the technology behind it, or even if there is an OTP (One Time Password) standard for text messages, but I have one account which uses OTP for login, and these messages do not appear in the normal message app, but is displayed directly above everything else (including the lock screen). These messages are not saved, and there are no sender, but you have the option to copy the content to clipboard or just remove the message (so at least the developers have done something to handle these special messages).

It could be that these messages are not meant to be used for OTP, but I don't really think it matters... No message that anyone sends from the outside to my phone should be visible when the phone is locked.

EDIT 2: Updated title as marttipiirainen pointed out that the messages are Flash SMS. I still consider this a security (and privacy) issue though. Consider a banking system where you login with username and password, but to for example pay your bills you also have to enter a OTP. If the session is stolen (through unsecure network, a trojan or just some really quick hand manoeuvrer when the owner is not looking) you can use this to cause lots of damage. Granted, this is a pretty dumb security system, but unfortunately there are quite a few dumb security systems around...

Then there is a privacy issue, imagine someone starts using flash SMS to have conversations they don't want to save on their phones. As google recently proved you can cause lots of suffering to peoples life if you accidentally leak personal information. Since you can't approve the messages (or even senders) beforehand you should not display them until the phone is unlocked.

EDIT 3: Big thanks to rainisto and marttipiirainen for pointing me in the right direction. Flash SMS, or class 0 messages should be handled like this (source):

When a mobile terminated message is class 0 and the MS has the capability of displaying short messages, the MS shall display the message immediately and send an acknowledgement to the SC when the message has successfully reached the MS irrespective of whether there is memory available in the (U)SIM or ME. The message shall not be automatically stored in the (U)SIM or ME.

The ME may make provision through MMI for the user to selectively prevent the message from being displayed immediately.

If the ME is incapable of displaying short messages or if the immediate display of the message has been disabled through MMI then the ME shall treat the short message as though there was no message class, i.e. it will ignore bits 0 and 1 in the TP-DCS and normal rules for memory capacity exceeded shall apply.

Although it uses the word "immediately" I would argue that that is more of a reflection of the time when the specification is written. The wording has been exactly the same since at least 1995. My guess is that the class 0 messages originally was intended to send messages that did not require the device to have persistent storage. Today we have multitasking devices with tons of memory, the technical limitation which required the message to be taken care of "immediately" is simply not there any more. (Also, anyone knows if you had to open the key lock on older devices to read these messages back in the days?)

The only reason I can think of where a message would be so important that it should always be displayed immediately would be emergency announcements from authorities, but since class 0 messages can come from anyone who has a GSM device I don't think you should design the system around this. Especially since it (today) seems way more common to send OTP (which is very private data) using class 0 messages.

Even if you think my reasoning is wrong or for some other reason want to keep the current design which displays the message above the lock screen, then please at least give us an option to disable it. The specification explicitly allows the user to disable immediate display and (as far as I understand it) receive the messages as normal SMS.

edit retag flag offensive reopen delete

The question has been closed for the following reason "the question is answered, an answer was accepted" by nthn
close date 2017-03-06 14:12:38.107758

Comments

Could you define what OTP is? All my messages are anonymous...

gabriel ( 2014-01-23 19:13:41 +0300 )edit

Never heard about Flash SMS, what are they, who uses them and for what? Thanks for any info ;)

foss4ever ( 2014-01-24 16:59:01 +0300 )edit

Some governments use class 0 mass SMS's for tsunami warnings for example. And you surely would like to see them even if device is locked if your near a beach.

rainisto ( 2014-01-24 23:25:09 +0300 )edit

@rainisto Yes ok, , so it seems that Jolla is here working as it supposed to be..The issue then are services and operators that send these Class 0 msgs in lesser important purposes and cases..

foss4ever ( 2014-01-24 23:59:06 +0300 )edit

@rainisto that is a legit reason to keep the current design, but the odds that you are saved because you saved 10 seconds by not entering your security code is really low. I think the privacy and security implication of having your private messages read by anyone is more important.

Feffe ( 2014-01-25 13:10:07 +0300 )edit

4 Answers

Sort by » oldest newest most voted

answered 2014-01-24 14:39:27 +0300

rainisto

6348 ●69 ●98 ●112

moderator

updated 2014-01-24 14:41:13 +0300

Class 0 specificiation says that message needs to be shown immediately. So there is not much that can be done, other than complaining to your OTP service provider not to send class 0 flash sms messages.

edit flag offensive delete publish link

Comments

Is there a link somewhere to the specification? I've tried to search for it, but since I'm not even sure what authority is setting the standard I'm not sure where to look (or even if it is available to the general public).

Feffe ( 2014-01-24 15:23:18 +0300 )edit

3GPP and ETSI standards are public. 'Class 0' is in 23.038 http://www.etsi.org/deliver/etsi_ts/123000_123099/123038/08.03.00_60/ts_123038v080300p.pdf , the overall SMS spec is 23.040 http://www.etsi.org/deliver/etsi_ts/123000_123099/123040/08.06.00_60/ts_123040v080600p.pdf .

marttipiirainen ( 2014-01-24 15:42:10 +0300 )edit

Thank you! I skimmed the docs, and it could be argued that "displayed immediately" just means that it should not be saved to persistent memory, not that the user must see the full message immediately. At the very least it clearly leaves room for a configuration option to disabling immediate display.

Feffe ( 2014-01-24 16:54:38 +0300 )edit

N9 did ask for security code before displaying flash sms. I haven't tested with other phones. Even if other phones should not be seen as the right and only way, that "immediate" part I would interpret as message displayed in front of whatever is on the screen and user do not have to go somewhere else to view a message as there is no place where these messages are meant to be saved.

Hess ( 2014-01-25 02:31:07 +0300 )edit

I am sorry, but I must downvote your answer. Though you are right that the OP should complain to their OTP service, it can not be considered sufficient. Modern phones are used in ways that differ dramatically from when the standard was written, and we expect all our information to be protected when they are locked (though security obviously isn't perfect). Any form of computer development should be done with careful determination, even when it comes to questions of following standards or not.

00prometheus ( 2014-02-09 06:58:50 +0300 )edit

answered 2014-02-10 19:50:57 +0300

Stefanix

4518 ●55 ●71 ●71

A switch to allow / block the display of personal information on a locked phone screen should be introduced. E.g. instead of calling number / name, only "incoming call" may be shown; instead of the flash SM just "Flash SM waiting". The actual flash SM would be waiting under the locked screen and would be shown as soon as the phone is unlocked.

edit flag offensive delete publish link

Comments

Actually, in N9 there is such a Setting to configure how / what info is shown in the Lock screen (you can enable / disable private info display, like sender, or the beginning of the msg)

foss4ever ( 2014-02-10 20:05:31 +0300 )edit

:) Yes, a lot of things suggested here existed already. I think we don't need any poll about previous phones of all the contributors here. The outcome is quite clear, I guess.

Stefanix ( 2014-02-10 20:09:55 +0300 )edit

I see no harm in pointing out that such a settings has a quite nice implementation in my current phone, and also that it solves some other privacy concerns in regards to what to show in locked state (so not only applicable to specific type of SMS messages).

foss4ever ( 2014-02-10 20:25:25 +0300 )edit

I remember that N9 had (has) this option. But I don't remember how exactly it was done. Need to dig it out and try. In general it's of course good to name a reference for a feature suggestion.

Stefanix ( 2014-02-10 20:39:15 +0300 )edit

Yeah give us Settings! +1

chemist ( 2014-02-12 16:57:06 +0300 )edit

answered 2014-01-24 11:22:35 +0300

marttipiirainen

156 ●4 ●5

There is no "one-time password" standard for text messages, but from the behaviour you describe it sounds like a "Class 0 SMS", also known as "Flash SMS". There's already a similar question about Flash SMS and the lock screen: https://together.jolla.com/question/11509/flash-sms-issues/

I haven't seen them been used specifically for OTP, but I don't think the scenario you describe is a serious security problem. If you use two-factor authentication, you are supposed to take good care of both parts (in this case, "username/password" and "OTP via phone"). You are still safe if one of them escapes you, but you are describing a case where you have lost control of both.

edit flag offensive delete publish link

Comments

Thanks for the clarification, I still consider this an issue though, and I've updated the question.

Feffe ( 2014-01-24 12:12:07 +0300 )edit

I am sorry, but I have to disagree and downvote, even if the first half of your answer is excellent. The reason for having two-factor authorization is usually because the cost of failure is higher than usual (in this case loss of money). The two-factor authorization is there to reduce the risk in such cases. The phone behavior compromises the effectiveness of one of the factors, making the cost-risk much higher. If you split your answer, I will be glad to upvote the part I agree with.

00prometheus ( 2014-02-09 06:49:44 +0300 )edit

answered 2014-02-10 18:52:30 +0300

00prometheus
13308 ●135 ●174 ●152

If there is no standards compliant way of preventing Class 0 SMS from showing publicly on the screen of a locked device, I propose the feature be removed entirely. In such a case, the standard calls for an automatic fall-back to normal SMS instead.

edit flag offensive delete publish link

Comments

the bank sending OTP as class 0 SMS is the problem, not your phone!

chemist ( 2014-02-12 12:51:15 +0300 )edit

Then you stand there without money on your account, your sexual preferences and non-countagious (but yet embarrassing) disease(s) exposed to a narrow-minded society, your wife left you because she thought that ring you ordered was meant for someone else and not a surprise present for your anniversary.

Oh, and you also lost your job because someone used your account to sabotage the company.

Sure, the phone may not be the problem, but it could be a better safety-net then what it is now.

Feffe ( 2014-02-12 15:41:19 +0300 )edit

@Feffe Sure it is arguable if it is needed to follow a standard word by word and not implement it behind a device-lock. Really scare tactics like politicians while fighting for deprecated features!? "I am scared by identity theft cause I use a service that is known to be cause of identity theft!"

chemist ( 2014-02-12 16:55:59 +0300 )edit

@chemist For people like you, me, Feffe, and others that look at this Question, you might be right; i.e. "Understand the security model of your phone and do not accept services that are incompatible with it". But there are many, many other people that have no chance whatsoever of getting what we are talking about. It is just wrong to let their security fall because we think that the responsibility to fix belongs with A rather than B.

00prometheus ( 2014-02-13 18:51:03 +0300 )edit

Oh, by the way, using fall-back to standard SMS doesn't really loose you much. Standard SMS may still be flashed on-screen if you like, it's just that they may doubtlessly be hidden by the lock-screen. The only other feature you loose is that Flash SMS aren't saved after viewing (unless "Man Machine Interaction" asks for it).

00prometheus ( 2014-02-13 18:57:26 +0300 )edit

Flash SMS should not be readable when phone is locked [answered]

The question has been closed for the following reason "the question is answered, an answer was accepted" by nthn
close date 2017-03-06 14:12:38.107758

Comments

4 Answers

Comments

Comments

Comments

Comments

Question tools

Stats

Related questions

Flash SMS should not be readable when phone is locked [answered]

The question has been closed for the following reason "the question is answered, an answer was accepted" by nthn close date 2017-03-06 14:12:38.107758

Comments

4 Answers

Comments

Comments

Comments

Comments

Question tools

Public thread

Stats

Related questions

The question has been closed for the following reason "the question is answered, an answer was accepted" by nthn
close date 2017-03-06 14:12:38.107758