| SMS authorization codes play an important role in the application ecosystem,as a number of security operations(e.g.,personal identification,personal modification,online banking etc.)require users to provide a code for authorization purposes.And as smartphones become more advanced,the function of SMS authorization code is expanding.Especially such important operations as payment usually use account password and SMS authorization code to form double-factor protection.When the account is stolen by phishing or other means,SMS authorization code became the last line of defense.However,the SMS authentication code data will also be stolen and forwarded by the attacker,which will bring serious security problems,and may cause huge economic losses to users.In this paper,we propose Code Tracker,a lightweight approach to track and protect SMS authorization codes.This method allows all applications(including malicious application)to read SMS,and it's regardless of their various operations on the authorization code data(e.g.,encryption,secondary storage,etc.),Code Tracker can effectively prevent them from sending SMS authorization code data to the target address.Specifically,we leverage the taint trackingtechnique to mark the authorization code with taint tags at the origin of the incoming SMS messages,and then,the SMS authorization code is always carrying the taint tag in Android.When the data is transferred by methods,assignments,IPC,or secondary storage of files,the tags of the data will not lose in all of operations.To this end,we modify the related array structure,array operations,string operations,IPC mechanism,and file operations for secondary storage of SMS authorization codes to ensure that the taint tags can not be lost and deleted.When the authorization code is sent out via either SMS messages or network connections,we extract the taint tag of the data and enforce pre-defined security policies(e.g.,whitelist,forbid to send data with specific taint tag,prompting users to choose whether to send them or not,etc.)to prevent the code from being leaked.We have developed a prototype of Code Tracker on Android's new generation of ART virtual machines and used 1,218 SMS-stealing android malware samples to evaluate the system.The test results show that the data with SMS authentication code sent through the short message system or network interface was successfully detected the corresponding taint tag by Code Tracker,and Code Tracker successfully prevented the further transmission of these data.In the multi-dimensional performance evaluation(e.g.,compiler performance,Java performance,and IPC performance)for Code Tracker shows that it can effectively track and protect SMS authorization codes with a small performance overhead(< 2%on average). |
PDF Full Text Request