We are currently developing a financial transaction app using Flutter, and we are facing a critical security concern regarding phone number verification.
We send an OTP to the user’s phone number for authentication and use auto-read functionality to verify it. However, we’ve identified a potential security loophole: if an attacker gains temporary access to a user’s phone, they could redirect the OTP to their own device. Since auto-read is enabled, the OTP is read and verified automatically, compromising user security.
We need a solution where OTPs are strictly bound to the user’s device, ensuring that verification only happens on the intended device. Device binding or a secure way to restrict OTP reading to the original device would be ideal.
I think this is a general issue, not a flutter related one.
You could check some device identification values. Verify if the OTP was read on a device with the same values it was requested on. It’s not 100%, but makes it harder to circumvent.
Sadly most OTP checks don’t do this. Pretty sure meta’s codes are useable on another device. Not sure why.
Edit: AndroidDeviceInfo class - device_info_plus library - Dart API most of the values here are not unique identifiers, but you can identify the hardware and build versions, so that means that someone would need an identical device to use the code.
I don’t know if there’s a better way for identifying devices. It’s a privacy issue, so newer systems made it harder.
1 Like
Hey @kazi_fahad_lateef,
You’ve raised an important concern. One approach you might consider is linking the OTP request to a temporary device-specific token, like using a secure hash of deviceId + timestamp, stored server-side when the OTP is issued. Then, only allow OTP validation if that same device presents the token back during verification. It’s not bulletproof, but it does raise the bar for anyone trying to hijack the process with temporary access.
1 Like
We’re building a generic, cross-platform solution using device_info_plus, avoiding platform-specific classes like AndroidDeviceInfo to ensure future iOS support. Since some devices return null values, we’re relying on stable fields like hardware and OS build version for consistency.
Your solution seems well thought out—we’ll aim to implement it effectively and appreciate your insightful guidance.
There is also IosDeviceInfo class - device_info_plus library - Dart API
deviceInfo property - DeviceInfoPlugin class - device_info_plus library - Dart API will return the needed platform specific class
But yes this seems unnecessary, you could just assign a temporary deviceId for the device and check it server side. This device info package just an extra step of making sure it’s an identical device, but it just complicates things, with little added benefits.