3 min read
"Decryption of APP Native Number Login Principle"




Recently, I wonder if everyone has noticed that many apps have changed their registration and login pages to look like this:
Or like this:
This method of registration and login is much simpler compared to the traditional SMS verification code. As soon as the user clicks the button, the number can be recognized immediately, allowing for successful registration/login. So how is this technology implemented, what are the differences from SMS verification codes, and is it really secure? Now, let’s explore this with Dog Shisan.
Traditional Verification Code
We know that the traditional authentication method is based on SMS verification codes. The app first asks the customer to enter their phone number, and then sends a text message through the carrier containing a verification code that the app operator has generated in advance. Only when the user enters the correct verification code will the app operator consider this user to be the holder of that phone number.
This verification method is widely used in user registration, login, payment, and other scenarios.
However, we know that SMS-based verification codes are actually a remnant of the 2G era. Currently, all mobile text messages still rely on the 2G GSM protocol. This protocol requires terminal devices (phones) to register with each base station and exchange information in "plain text." As shown in the diagram below:
Modern phones are mostly 4G, and under sufficient bandwidth, mobile terminals and base stations use advanced encryption protocols to ensure secure communication.
However, in areas with poor signal, such as in the bedroom or living room at home, the phone may downgrade to a 2G channel, which gives a chance for fake base stations to exploit this situation. Since SMS exchanges based on the 2G GSM protocol are in plain text, fake base stations can force downgraded phones to register with themselves and then proxy the phone to send messages to the real base station, thus hijacking the SMS verification code. As shown in the diagram below:
Carrier One-Click Login
In the 5G era, this outdated method is finally being phased out. Because the 5G network is not compatible with the 2G GSM protocol, users no longer have to worry about SMS hijacking. Additionally, the sufficient bandwidth and channel encryption technology of 5G networks make tunnel-based identity verification possible.
The principle behind one-click registration/login is that the app only needs to consume a small amount of mobile data (not Wi-Fi) to obtain the user's phone number and the authenticity of the channel encryption information from the 5G channel information provided by the carrier, with the user's authorization. That is, under the trusted 5G channel, the phone number and device information can be obtained from the data packets, no longer relying on the primitive method of sending SMS.
As long as the authentication device (mobile network + SIM card) can access the carrier's network, the signaling connected to the 5G base station already contains sufficient identity information, and unless authorized by the user, this encrypted information cannot be decrypted by the app operator.
Therefore, with this operational method, the ancient method of SMS verification codes can finally be consigned to the dustbin of history. For app operators, this saves a significant amount of money spent on sending verification SMS to users; for users, there is no longer a need to wait for SMS to arrive, nor to worry about not receiving messages due to a full inbox or being blocked by mobile security software.
Of course, the most important thing is that there will be no terrifying incidents of waking up to find one's assets stripped away.
However, to use the one-click login feature, it is necessary for the app to obtain dual authorization from both the telecom operator and the user, and to develop using an SDK that has been authorized with an electronic signature by the telecom operator.