DEV Community

Cover image for Phone number centric apps are a Security Hazard

Posted on

Phone number centric apps are a Security Hazard

Let's not beat around the bush, using phone numbers as part of the required information for a user simply tells to the world "Look! I make terrible choices when designing software".

Most of the apps that use them as the primary login/info will also have the tendency of making it visible for the world to see (cc. WhatsApp).

You also have a username on these apps? They don't care, they'll usually show your phone number before they show your username, or show them side-by-side for... reasons?

Most of the time, if they have a desktop client, you can even extract a list of phone numbers from a group fairly easily.

This is an obvious security hazard as, more often than not, the default visibility is "for everyone" instead of "my contacts" which is a baffling choice to say the least.

Exposing your phone number, just like your IP address, can have... unintended side-effects (we'll dive more on that in a future post).

Thus far the issues we have listed are:

  1. Getting your phone number
  2. Accessing information they probably shouldn't have

Hackers can even use your phone number as a means for reverse-lookups. Hell, even regular users can since most apps have a "add from my contacts" feature (which is extremely bad for security).

The other funny thing is... unlike email addresses, phone numbers can usually be re-assigned! Only after your death or any phone number change, sure, but it can still happen.

Therefore anything that uses phone numbers for let's say 2FA has a fundamental design flaw: too many assumptions.

Does it prevent spam? Nope. Does it make sure no one can have multiple accounts? Nope. Does it make sure only the owner has access to their account? Not necessarily.

There is no reason that justifies the use of a phone number beyond sending a verification code. It should never be used as a primary means for identification, authentication or authorization. It should only be used as a secondary one.

Top comments (0)