One-click login by mobile phone number is a new application login method that has appeared in the last two or three years. It is much more convenient than the SMS verification code login. When logging in, the application first shows the user the authorized login page with the local number mask. After the user clicks the “Agree to authorize” button, the application can obtain the complete local number to complete the user login authentication. In this process, the application can successfully authenticate as long as it confirms that the mobile phone number used for login is initiated from the mobile phone bound to this number. From this point of view, it is not fundamentally different from SMS verification code login, which is a device authentication login method. This article will take a look at the technical details.

In order to protect users’ privacy, both Android and iOS systems have restricted the ability of applications to obtain the local number. Even if the local number is obtained through some technical means, the number may be tampered with, so it is not feasible for applications to directly read the local number for login. So how do these apps get real native numbers? The answer is the telecom operators, who must be able to get the right phone number for making calls, accessing the Internet and billing. Domestic operators are mobile, Unicom, telecom these three, they have opened this ability. For the operator that is changed by conduit in Internet tide, can yet be regarded as a kind of very meaningful positive enterprising.

The principle of mobile traffic Internet access

Mobile phone number one-click login is achieved by using mobile phone traffic to access the Internet, so first to figure out the principle of traffic access.

At present, there are many technical articles about one-click login on the Internet, but the content is basically the same, about obtaining mobile phone numbers, all described through the data gateway capabilities of operators, vague language, for the pursuit of technical people, unbearable. This chapter is to introduce the phone number was obtained from the data gateway of ability is how to implement, because communications professional knowledge is very complex, I don’t have a through professional learning, and you don’t want to come into contact with a lot of professional term, so here just keep some key professional terms, as far as possible in a comprehensible way to clarify the mechanism.

Five layer network model

If you are familiar with the network, you should know the five-layer protocol. So how is the five-layer network model different when using mobile phone traffic to surf the Internet?

As can be seen from the figure above, the main difference between mobile traffic Internet access lies in the data link layer and the physical layer. At the data link layer, traffic Internet access does not have the concept of MAC address. It adopts a point-to-point protocol (PPP). The mobile phone establishes this PPP connection through dial-up mode and then sends data. In the physical layer, the flow Internet carries on the modulation and demodulation of the wireless signal through the built-in baseband module of the mobile phone, so as to realize the electromagnetic wave communication with the mobile base station.

Traffic access mechanism

Point-to-point protocol support authentication function, mobile terminal connection will bring their own identity, generally is the built-in mobile phone card IMSI, the IMSI will be stored in the operator’s database, so the base station can verify the connection user’s identity, the verification process is not a simple contrast IMSI, of course, there will be more security mechanisms. In order to have a clearer understanding of the traffic Internet access mechanism, here is another diagram of the interaction between mobile phones and operators when 4G traffic Internet access is available:

Core components

Mobile phone: the key to the flow of Internet access is the mobile phone card and baseband module. IMSI, full name of International Mobile Subscriber Identification Number, is stored in the Mobile phone card. IMSI is the identity of the mobile phone card.

Base station: The usual steel-frame cell tower outside, a radio station that sends and receives messages over a certain range, to which a cell phone is connected, and which then connects via fiber optic to a carrier’s network for mobile communications.

MME: Mobility Management Entity. When a mobile phone establishes a connection, it will first visit here and be responsible for: access control between mobile phone and base station, authentication of mobile phone card, session management, secure transmission, roaming control, cross-carrier communication, etc.

HSS: Home Subscriber Server: indicates the owning Subscriber Server. Save the local signed mobile phone card information, including the corresponding relationship between IMSI and mobile phone number, mobile phone number package information, mobile phone number location information, etc.

S-gw: indicates the Service Gateway. In a 4G environment, the service gateway between the user side and the carrier’s core network. Access access, what business can be done, and where business can be done is controlled here. Cross-carrier billing, roaming billing and so on are also done here.

P-gw: INDICATES the PDN Gateway. Operator core network and the gateway between the Internet, mobile phone real Internet is through it. It assigns phones an IP address, controls Internet speeds, charges data, and more.

2. PCRF: Policy and Charging Rules Function, which keeps the Policy and Charging Rules of each user.

Online process

For ease of understanding, the process of surfing the Internet is roughly divided into two parts (corresponding to 1 and 2 in the figure above) :

  • 1 access: Carry IMSI information connection is established, the mobile phone, through the base station access to MME, MME IMSI information are verified through the HSS, and then some initialization, MME return some authentication parameters for mobile phones, mobile phone to do some calculation, and then the calculation result is returned to the MME, MME calculation results verify the mobile phone, validation by allows access. This process ensures the security of access. MME also provides encryption transmission support for subsequent data transmission to protect data from eavesdropping and tampering. Interested students can go to learn more about it.

    If the phone number is not written when the phone card is sold, when the phone card is registered for the first time, the operator will take the phone number from the HSS and then write it into the phone card.

    In practice, in order to prevent tracking and attack, IMSI is not carried every time communication is carried. The MME generates a temporary GUTI corresponding to the IMSI, just like the SessionId in Web applications. The MME also has some mechanism to control the redistribution of guIts.

  • 2 transfer: The transmission of mobile network traffic still needs to go through the base station first, and then enter THE S-GW next step. S-gw will check the user’s authorization, just like checking the SessionId submitted by the front end in the Web program, and then checking whether the user has the permission to carry out the submitted business. Here is to check whether the user has opened the traffic to access the Internet. This is what S-GW does by connecting to MME. After the S-GW process is complete, the data packets go to the P-GW. The P-GW assigns an IP address to the user when the mobile phone uses traffic to access the Internet. Then the data packets go to the Internet through the gateway and access related resources. P-gw also performs rate control and traffic charging for Internet access behaviors. These policies are derived from the PCRF. Rules in the PCRF are calculated based on user packages and user levels in the HSS.

    For P-GW, S-GW blocks the mobility of the user. When the phone switches between multiple base stations, S-GW does not change.

The above is the basic principle of mobile traffic Internet access, it can be seen that the operator through IMSI or GUTI is fully capable of obtaining the mobile phone number of the current Internet users. I haven’t found relevant introduction about how the operators’ one-click login is implemented, but you can imagine: Mobile applications initiated by operator SDK mobile phone number for business request, this time will carry IMSI or GUTI, business request arrives at the S – GW, S – GW authentication through, then the business request is routed to the operators access to mobile phone number in the core network services, services according to business rules from the HSS phone number and a number of processing.

The principle of one-click login

Understand the principle of mobile phone traffic access to the Internet, and then look at the next key login business is how to achieve, this part belongs to the upper application development, we should be relatively familiar with some.

If you have access to wechat third-party application login, or other similar third-party application login, the process is similar. Let’s start with the picture:

Here are some key steps:

  • 2 Pre-fetch mobile phone number mask: This mobile phone number mask needs to be displayed to the user on the page requesting user authorization. Because the information needs to be obtained through the network of the telecom carrier, it may be slow. To improve user experience, you can obtain the mobile phone number mask when the application is started and then cache it for a period of time.

  • 8 Authorization Request: Retrieve the user phone number it is sensitive for application, must let users understand and authorization to proceed, in order to ensure that this matter, operator certification SDK provides the authorization request page, the user to confirm authorization, after the SDK directly to the operator certification service request certification, certification service returns an authentication Token to the application. The application then uses the Token to obtain the phone number from the operator through its own server.

  • 17 Generate application authorization Tokens: To maintain the login status of its own users, the traditional Session mechanism or JWT mechanism can be used.

  • 3 prefetch the mobile phone number mask and 11 request authentication, both need to communicate through the mobile phone cellular network, that is, need to access the Internet through the mobile phone traffic. If both traffic and WIFI are enabled on the phone, the authentication SDK will switch the phone to traffic mode for a short time. If the mobile phone is not enabled for traffic, some SDKS will also cache a temporary Token after the last successful number retrieval, which can also achieve a successful one-click login, but this is very restrictive.

There is also a security issue:

14 Login request: A user creates an authentication Token and submits a request to the application service, which in turn submits a request to the authentication service. This is a XSS attack. Although this Token can be blocked, it is a waste of resources and puts pressure on the server.

Wechat third-party application login does a better job. Before the user logs in, the application server generates a random number, and then the front end of the application submits this random number to the application server, and the application server can verify this random number.

Number Authentication Scenario

In addition to being used for login, the number retrieval capability of the carrier gateway can also be used to verify the mobile phone number. For example, in the process of payment, the user is required to enter the mobile phone number or some bits of the mobile phone number, and then the carrier authentication service verifies whether the mobile phone number is the local number.

Privacy issues

The device uniquely identifies the problem

As privacy concerns grow, it’s not unusual for you to search for a product on an e-commerce site and then visit other sites that recommend ads for that product. There is also a horrible situation. You just talk about something with someone, and then you see a recommendation about it on an App. Some people guess that the App is eavesdropping, but based on the current public opinion and supervision, the risk of eavesdropping is too big, and the reason may really be the algorithm is too powerful.

In recent years, Android and iOS systems have imposed restrictions on apps obtaining unique identifiers of mobile phones, such as IMEI, Mac address, serial number and advertising Id, in order to prevent users’ information from being associated with multiple apps, resulting in the disclosure of users’ privacy and some security problems and legal risks. The aforementioned cross-app advertising behavior is also naturally inhibited.

In the understanding of the principle of technology of a key login, see some operators to provide a unique Id service and SIM card binding equipment, slogan is in response to the mobile operating system limit access to mobile phone unique identification problem, in what is now pay more and more attention to under the premise of privacy protection, if this ability is open to the advertising platform, is the history of reversing.

The problem with mobile phone numbers as identifiers

As mobile phone number login is widely used in China, it is technically difficult to restrict mobile phone number association between apps and comprehensively analyze user behavior. For example, if a large company operates several popular apps of different kinds, it will have the ability to know a user more comprehensively. If it wants to restrict it, it may have to solve the problem through the legal level. As for the mobile phone number association between different manufacturers, it is unlikely to be protected based on commercial interests.

In this domestic business environment, if you really care about your privacy, you’d better only use the account password to log in, otherwise it may be impossible to change your mobile phone number frequently.

Phone number resale problem

The total number of mobile phone numbers is limited. In order to make effective use of mobile phone number resources, mobile phone numbers after cancellation will be resold by the operator after a period of time. If the new owner logs in to an APP with the phone number, and the phone number has been registered in the APP before, resulting in a large number of usage records, the privacy of the former owner of the phone number will be disclosed. Therefore, people are reluctant to change their mobile phone numbers, because there are so many registered places, leaving countless traces of use.

When you understand the technical principle of one-click login, you can also see that a certain carrier provides a service of “phone number change binding SIM card notification”. Based on this, the application can unbind the relationship between the re-sold phone number and the application account to protect the user’s privacy. As mentioned above, mobile phone cards are marked with IMSI, and if the phone number is resold, the new IMSI will be tied to it and the carrier will be notified accordingly. Of course, the carrier also needs to exclude mobile card replacement and mobile phone number transfer, which will also be tied to the new IMSI.

Have to say the operator of this service or quite good 👍.


The above is the main content of this article, because OF my talent, if there are mistakes, welcome to correct.

For more architecture knowledge, please pay attention to the wechat public account Firefly architecture. Original content, reproduced please indicate the source.