Yajin Zhou,Xuxian Jiang

2013-01-01

Abstract:In this paper, we systematically study two vulnerabilities and their presence in existing Android applications (or “apps”). These two vulnerabilities are rooted in an unprotected Android component, i.e., content provider, inside vulnerable apps. Because of the lack of necessary access control enforcement, affected apps can be exploited to either passively disclose various types of private in-app data or inadvertently manipulate certain security-sensitive in-app settings or configurations that may subsequently cause serious system-wide side effects (e.g., blocking all incoming phone calls or SMS messages). To assess the prevalence of these two vulnerabilities, we analyze 62, 519 apps collected in February 2012 from various Android markets. Our results show that among these apps, 1, 279 (2.0%) and 871 (1.4%) of them are susceptible to these two vulnerabilities, respectively. In addition, we find that 435 (0.7%) and 398 (0.6%) of them are accessible from official Google Play and some of them are extremely popular with more than 10, 000, 000 installs. The presence of a large number of vulnerable apps in popular Android markets as well as the variety of private data for leaks and manipulation reflect the severity of these two vulnerabilities. To address them, we also explore and examine possible mitigation solutions.

Wu Zhou,Yajin Zhou,Xuxian Jiang,Peng Ning

DOI: https://doi.org/10.1145/2133601.2133640

2012-01-01

Abstract:Recent years have witnessed incredible popularity and adoption of smartphones and mobile devices, which is accompanied by large amount and wide variety of feature-rich smartphone applications. These smartphone applications (or apps), typically organized in different application marketplaces, can be conveniently browsed by mobile users and then simply clicked to install on a variety of mobile devices. In practice, besides the official marketplaces from platform vendors (e.g., Google and Apple), a number of third-party alternative marketplaces have also been created to host thousands of apps (e.g., to meet regional or localization needs). To maintain and foster a hygienic smartphone app ecosystem, there is a need for each third-party marketplace to offer quality apps to mobile users. In this paper, we perform a systematic study on six popular Android-based third-party marketplaces. Among them, we find a common "in-the-wild" practice of repackaging legitimate apps (from the official Android Market) and distributing repackaged ones via third-party marketplaces. To better understand the extent of such practice, we implement an app similarity measurement system called DroidMOSS that applies a fuzzy hashing technique to effectively localize and detect the changes from app-repackaging behavior. The experiments with DroidMOSS show a worrisome fact that 5% to 13% of apps hosted on these studied marketplaces are repackaged. Further manual investigation indicates that these repackaged apps are mainly used to replace existing in-app advertisements or embed new ones to "steal" or re-route ad revenues. We also identify a few cases with planted backdoors or malicious payloads among repackaged apps. The results call for the need of a rigorous vetting process for better regulation of third-party smartphone application marketplaces.

Yajin Zhou,Zhi Wang,Wu Zhou,Xuxian Jiang

2012-01-01

Abstract:In this paper, we present a systematic study for the detection of malicious applications (or apps) on popular Android Markets. To this end, we first propose a permissionbased behavioral footprinting scheme to detect new samples of known Android malware families. Then we apply a heuristics-based filtering scheme to identify certain inherent behaviors of unknown malicious families. We implemented both schemes in a system called DroidRanger. The experiments with 204, 040 apps collected from five different Android Markets in May-June 2011 reveal 211 malicious ones: 32 from the official Android Market (0.02% infection rate) and 179 from alternative marketplaces (infection rates ranging from 0.20% to 0.47%). Among those malicious apps, our system also uncovered two zero-day malware (in 40 apps): one from the official Android Market and the other from alternative marketplaces. The results show that current marketplaces are functional and relatively healthy. However, there is also a clear need for a rigorous policing process, especially for non-regulated alternative marketplaces.

Wu Zhou,Yajin Zhou,Michael C. Grace,Xuxian Jiang,Shihong Zou

DOI: https://doi.org/10.1145/2435349.2435377

2013-01-01

Abstract:Mobile applications (or apps) are rapidly growing in number and variety. These apps provide useful features, but also bring certain privacy and security risks. For example, malicious authors may attach destructive payloads to legitimate apps to create so-called "piggybacked" apps and advertise them in various app markets to infect unsuspecting users. To detect them, existing approaches typically employ pair-wise comparison, which unfortunately has limited scalability. In this paper, we present a fast and scalable approach to detect these apps in existing Android markets. Based on the fact that the attached payload is not an integral part of a given app's primary functionality, we propose a module decoupling technique to partition an app's code into primary and non-primary modules. Also, noticing that piggybacked apps share the same primary modules as the original apps, we develop a feature fingerprint technique to extract various semantic features (from primary modules) and convert them into feature vectors. We then construct a metric space and propose a linearithmic search algorithm (with O(n log n) time complexity) to efficiently and scalably detect piggybacked apps. We have implemented a prototype and used it to study 84,767 apps collected from various Android markets in 2011. Our results show that the processing of these apps takes less than nine hours on a single machine. In addition, among these markets, piggybacked apps range from 0.97% to 2.7% (the official Android Market has 1%). Further investigation shows that they are mainly used to steal ad revenue from the original developers and implant malicious payloads (e.g., for remote bot control). These results demonstrate the effectiveness and scalability of our approach.

Shuai Li,Zhemin Yang,Guangliang Yang,Hange Zhang,Nan Hua,Yurui Huang,Min Yang

2023-01-01

Abstract:Recent years have witnessed the rapid development of mobile services, spanning almost every field. To characterize users and provide personalized and targeted services, user tag sharing, which labels users and shares their data, is becoming increasingly popular. Its security attracts more and more attention, and a series of privacy issues have been reported in several specific services. However, up to now, there still lacked a thorough and comprehensive understanding of the characteristics and security of user tag sharing. In this work, we conduct a systematic study of user tag sharing and its security. We first model user tag sharing with three phases, and discover that the privacy security issue commonly exists in practice. We generalize and formalize the privacy issue as user tag spoofing. Then, we propose a novel network-level smart fuzzing approach, called UTSFuzzer, against user tag spoofing. The key idea behind UTSFuzzer is to explore a large number of valid user tag values as input to imitate user tag spoofing against real-world mobile services. By applying UTSFuzzer on a large scale of real-world popular apps, we verify the effectiveness of UTSFuzzer and unveil that 100 mobile apps (including 115 mobile services) are vulnerable to user tag spoofing. The accumulated installations of all affected apps (users) reach more than 413 million. Additionally, UTSFuzzer shows user tag spoofing can cause serious attack efforts, including economic loss and user activity monitoring.

Wangchenlu Huang,Shenao Wang,Yanjie Zhao,Guosheng Xu,Haoyu Wang

2024-05-17

Abstract:In the digital era, Online Social Networks (OSNs) play a crucial role in information dissemination, with sharing cards for link previews emerging as a key feature. These cards offer snapshots of shared content, including titles, descriptions, and images. In this study, we investigate the construction and dissemination mechanisms of these cards, focusing on two primary server-side generation methods based on Share-SDK and HTML meta tags. Our investigation reveals a novel type of attack, i.e., Sharing Card Forgery (SCF) attack that can be exploited to create forged benign sharing cards for malicious links. We demonstrate the feasibility of these attacks through practical implementations and evaluate their effectiveness across 13 various online social networks. Our findings indicate a significant risk, as the deceptive cards can evade detection and persist on social platforms, thus posing a substantial threat to user security. We also delve into countermeasures and discuss the challenges in effectively mitigating these types of attacks. This study not only sheds light on a novel phishing technique but also calls for heightened awareness and improved defensive strategies in the OSN ecosystem.

Cryptography and Security

Wei Liu,Yueqian Zhang,Zhou Li,Hai-Xin Duan

DOI: https://doi.org/10.1145/2994459.2994472

2016-01-01

Abstract:We studied a new type of fraudulent activities, usage fraud, on Android platform in this paper. Different from previous fraud on mobile platforms targeting advertisers or mobile users, usage fraud was invented to boost usage statistics on third-party analytics platforms like Google Analytics to cheat investors. To understand the business model and infrastructures employed by the fraudsters, we infiltrated two underground services, Laicaimao and Anzhibao. A number of insights have been gained during this course, including the use of emulators and manipulation of user identifiers. In addition, we evaluated the efficacy of the existing fraud services and the defense status quo on 8 popular analytics platforms. Our result indicates that the fraud services are indeed capable of crafting valid usage numbers and the basic checks are missed by analytics platforms. We give several recommendations in the end and call for the contribution from the community to fight against this new type of fraud.

Shaoyong Du,Pengxiong Zhu,Jingyu Hua,Zhiyun Qian,Zhao Zhang,Xiaoyu Chen,Sheng Zhong

DOI: https://doi.org/10.1109/tdsc.2018.2889486

2021-01-01

Abstract:Android shared storage is shared with all the applications (apps for short) and the user. It is common to see that a large amount of apps store different kinds of files on it. It is well known that apps granted the read or write permissions can freely access any files in the shared storage. As a consequence, the shared storage has been demonstrated to expose sensitive information and jeopardize users' privacy. In this paper, we systematically study a simple but overlooked threat related to the shared storage-the lack of input validation (e.g., integrity verifications) when consuming files on the shared storage. We argue that the untrusted input from the shared storage is a much ubiquitous problem. By undertaking an empirically study through a static analysis tool we develop, we find over 30 percent of the 13,746 analyzed popular apps on the market suffer from such problem. By investigating the types of files consumed, we find shockingly a large fraction of apps store and consume sensitive files, which allows us to construct end-to-end attacks. Considering the ubiquity of this class of vulnerabilities, we finally define better access control policies for external storage to eliminate them for most apps.

Jiangrong Wu,Yuhong Nan,Luyi Xing,Jiatao Cheng,Zimin Lin,Zibin Zheng,Min Yang

DOI: https://doi.org/10.14722/ndss.2024.24138

2024-01-01

Abstract:Cross-app content sharing is one of the prominent features widely used in mobile apps.For example, a short video from one app can be shared to another (e.g., a messaging app) and further viewed by other users.In many cases, such Crossapp content sharing activities could have privacy implications for both the sharer and sharee, such as exposing app users' personal interests.In this paper, we provide the first in-depth study on the privacy implications of Cross-app content sharing (as we call Cracs) activities in the mobile ecosystem.Our research showed that during the sharing process, the adversary can not only track and infer user interests as traditional web trackers but also cause other severe privacy implications to app users.More specifically, due to multiple privacy-intrusive designs and implementations of Cracs, an adversary can easily reveal a user's social relations to an outside party, or unnecessarily expose user identities and her associated personal data (e.g., user accounts in another app).Such privacy implications are indeed a concern for app users, as confirmed by a user study we have performed with 300 participants.To further evaluate the impact of our identified privacy implications at large, we have designed an automatic pipeline named Shark, combined with static analysis and dynamic analysis to effectively identify whether a given app introduces unnecessary data exposure in Cracs.We analyzed 300 top downloaded apps collected from app stores in both the US and China.The analysis results showed that over 55% of the apps from China and 10% from the US are indeed problematic.

Xing Han,Yuheng Zhang,Xue Zhang,Zeyuan Chen,Mingzhe Wang,Yiwei Zhang,Siqi Ma,Yu Yu,Elisa Bertino,Juanru Li

2023-01-01

Abstract:Smartphone users are eliminating traditional QR codes as many apps have integrated QR code scanning as a built-in functionality. With the support of embedded QR code scanning components, apps can read QR codes and immediately execute relevant activities, such as boarding a flight. Handling QR codes in such an automated manner is obviously user-friendly. However, this automation also creates an opportunity for attackers to exploit apps through malicious QR codes if the apps fail to properly check these codes. In this paper, we systematize and contextualize attacks on mobile apps that use built-in QR code readers. We label these as MEDUSA attacks, which allow attackers to remotely exploit the in-app QR code scanning of a mobile app. Through a MEDUSA attack, remote attackers can invoke a specific type of app functions - Remotely Accessible Handlers (RAHs), and perform tasks such as sending authentication tokens or making a payment. We conducted an empirical study on 800 very popular Android and iOS apps with billions of users in the two largest mobile ecosystems, the US and mainland China mobile markets, to investigate the prevalence and severity of MEDUSA attack related security vulnerabilities. Based on our proposed vulnerability detection technique, we thoroughly examined the target apps and discovered that a wide range of them are affected. Among the 377/800 apps with in-app QR code scanning functionality, we found 123 apps containing 2,872 custom RAHs that were vulnerable to the MEDUSA attack. By constructing proof-of-concept exploits to test the severity, we confirmed 46 apps with critical or high-severity vulnerabilities, which allows attackers to access sensitive local resources or remotely modify the user data.

Xiaohan Zhang,Yuan Zhang,Qianqian Mo,Hao Xia,Zhemin Yang,Min Yang,Xiaofeng Wang,Long Lu,Haixin Duan

2018-01-01

Abstract:Mobile apps have become the main channel for accessing Web services. Both Android and iOS feature inapp Web browsers that support convenient Web service integration through a set of Web resource manipulation APIs. Previous work have revealed the attack surfaces of Web resource manipulation APIs and proposed several defense mechanisms. However, none of them provides evidence that such attacks indeed happen in the real world, measures their impacts, and evaluates the proposed defensive techniques against real attacks. This paper seeks to bridge this gap with a large-scale empirical study onWeb resource manipulation behaviors in real-world Android apps. To this end, we first define the problem as cross-principal manipulation (XPM) of Web resources, and then design an automated tool named XPMChecker to detect XPM behaviors in apps. Through a study on 80,694 apps from Google Play, we find that 49.2% of manipulation cases are XPM, 4.8% of the apps have XPM behaviors, and more than 70% XPM behaviors aim at top Web sites. More alarmingly, we discover 21 apps with obvious malicious intents, such as stealing and abusing cookies, collecting user credentials and impersonating legitimate parties. For the first time, we show the presence of XPM threats in real-world apps. We also confirm the existence of such threats in iOS apps. Our experiments show that popular Web service providers are largely unaware of such threats. Our measurement results contribute to better understanding of such threats and the development of more effective and usable countermeasures.

Jice Wang,Yue Xiao,Xueqiang Wang,Yuhong Nan,Luyi Xing,Xiaojing Liao,JinWei Dong,Nicolas Serrano,Haoran Lu,XiaoFeng Wang,Yuqing Zhang

2021-01-01

Abstract:Recent years have witnessed the rise of security risks of libraries integrated in mobile apps, which are reported to steal private user data from the host apps and the app backend servers. Their security implications, however, have never been fully understood. In our research, we brought to light a new attack vector long been ignored yet with serious privacy impacts - malicious libraries strategically target other vendors' SDKs integrated in the same host app to harvest private user data (e.g., Facebook's user profile). Using a methodology that incorporates semantic analysis on an SDK's Terms of Services (ToS, which describes restricted data access and sharing policies) and code analysis on cross-library interactions, we were able to investigate 1.3 million Google Play apps and the ToSes from 40 highly-popular SDKs, leading to the discovery of 42 distinct libraries stealthily harvesting data from 16 popular SDKs, which affect more than 19K apps with a total of 9 billion downloads. Our study further sheds light on the underground ecosystem behind such library-based data harvesting (e.g., monetary incentives for SDK integration), their unique strategies (e.g., hiding data in crash reports and using C2 server to schedule data exfiltration) and significant impacts.

Tianming Liu,Haoyu Wang,Li Li,Xiapu Luo,Feng Dong,Yao Guo,Liu Wang,Tegawende Bissyande,Jacques Klein

DOI: https://doi.org/10.1145/3366423.3380242

2020-01-01

Abstract:Advertisement drives the economy of the mobile app ecosystem. As a key component in the mobile ad business model, mobile ad content has been overlooked by the research community, which poses a number of threats, e.g., propagating malware and undesirable contents. To understand the practice of these devious ad behaviors, we perform a large-scale study on the app contents harvested through automated app testing. In this work, we first provide a comprehensive categorization of devious ad contents, including five kinds of behaviors belonging to two categories: ad loading content and ad clicking content. Then, we propose MadDroid, a framework for automated detection of devious ad contents. MadDroid leverages an automated app testing framework with a sophisticated ad view exploration strategy for effectively collecting ad-related network traffic and subsequently extracting ad contents. We then integrate dedicated approaches into the framework to identify devious ad contents. We have applied MadDroid to 40,000 Android apps and found that roughly 6% of apps deliver devious ad contents, e.g., distributing malicious apps that cannot be downloaded via traditional app markets. Experiment results indicate that devious ad contents are prevalent, suggesting that our community should invest more effort into the detection and mitigation of devious ads towards building a trustworthy mobile advertising ecosystem.

Hongyi Chen,Jinshu Su,Linbo Qiao,Yi Zhang,Qin Xin

DOI: https://doi.org/10.1007/978-3-030-00018-9_41

2018-01-01

Abstract:Android has become the most popular platform for mobile devices, and also it has become a popular target for malware developers. At the same time, researchers have proposed a large number of methods, both static and dynamic analysis methods, to fight against malwares. Among these, Machine learning based methods are quite effective in Android malware detection, the accuracy of which can be up to 98%. Thus, malware developers have the incentives to develop more advanced malwares to evade detection. This paper presents an adversary attack pattern that will compromise current machine learning based malware detection methods. The malware developers can perform this attack easily by splitting malicious payload into two or more apps. The split apps will all be classified as benign by current methods. Thus, we proposed a method to deal with this issue. This approach, realized in a tool, called ColluDroid, can identify the collusion apps by analyzing the communication between apps. The evaluation results show that ColluDroid is effective in finding out the collusion apps. Also, we showed that it’s easy to split an app to evade detection. According to our split simulation, the evasion rate is 78%, when split into two apps; while the evasion rate comes to 94.8%, when split into three apps.

Tongxin Li,Xueqiang Wang,Mingming Zha,Kai Chen,XiaoFeng Wang,Luyi Xing,Xiaolong Bai,Nan Zhang,Xinhui Han

DOI: https://doi.org/10.1145/3133956.3134021

2017-01-01

Abstract:As a critical feature for enhancing user experience, cross-app URL invocation has been reported to cause unauthorized execution of app components. Although protection has already been put in place, little has been done to understand the security risks of navigating an app's WebView through an URL, a legitimate need for displaying the app's UI during cross-app interactions. In our research, we found that the current design of such cross-WebView navigation actually opens the door to a cross-app remote infection, allowing a remote adversary to spread malicious web content across different apps' WebView instances and acquire stealthy and persistent control of these apps. This new threat, dubbed Cross-App WebView Infection (XAWI), enables a series of multi-app, colluding attacks never thought before, with significant real world impacts. Particularly, we found that the remote adversary can collectively utilize multiple infected apps' individual capabilities to escalate his privileges on a mobile device or orchestrate a highly realistic remote Phishing attack (e.g., running a malicious script in Chrome to stealthily change Twitter's WebView to fake Twitter's own login UI). We show that the adversary can easily find such attack "building blocks" (popular apps whose WebViews can be redirected by another app) through an automatic fuzz, and discovered about 7.4% of the most popular apps subject to the XAWI attacks, including Facebook, Twitter, Amazon and others. Our study reveals the contention between the demand for convenient cross-WebView communication and the need for security control on the channel, and makes the first step toward building OS-level protection to safeguard this fast-growing technology.

Tong Zhu,Yan Meng,Haotian Hu,Xiaokuan Zhang,Minhui Xue,Haojin Zhu

DOI: https://doi.org/10.1145/3460120.3484546

2021-09-15

Abstract:Although the use of pay-per-click mechanisms stimulates the prosperity of the mobile advertisement network, fraudulent ad clicks result in huge financial losses for advertisers. Extensive studies identify click fraud according to click/traffic patterns based on dynamic analysis. However, in this study, we identify a novel click fraud, named humanoid attack, which can circumvent existing detection schemes by generating fraudulent clicks with similar patterns to normal clicks. We implement the first tool ClickScanner to detect humanoid attacks on Android apps based on static analysis and variational AutoEncoder (VAE) with limited knowledge of fraudulent examples. We define novel features to characterize the patterns of humanoid attacks in the apps' bytecode level. ClickScanner builds a data dependency graph (DDG) based on static analysis to extract these key features and form a feature vector. We then propose a classification model only trained on benign datasets to overcome the limited knowledge of humanoid attacks. We leverage ClickScanner to conduct the first large-scale measurement on app markets (i.e.,120,000 apps from Google Play and Huawei AppGallery) and reveal several unprecedented phenomena. First, even for the top-rated 20,000 apps, ClickScanner still identifies 157 apps as fraudulent, which shows the prevalence of humanoid attacks. Second, it is observed that the ad SDK-based attack (i.e., the fraudulent codes are in the third-party ad SDKs) is now a dominant attack approach. Third, the manner of attack is notably different across apps of various categories and popularities. Finally, we notice there are several existing variants of the humanoid attack. Additionally, our measurements demonstrate the proposed ClickScanner is accurate and time-efficient (i.e., the detection overhead is only 15.35% of those of existing schemes).

Cryptography and Security

Hongchen Cao,Shuai Li,Yuming Zhou,Ming Fan,Xuejiao Zhao,Yutian Tang

DOI: https://doi.org/10.1002/smr.2528

2024-01-01

Abstract:Deep learning is a powerful technique to boost application performance in various fields, including face recognition, image classification, natural language understanding, and recommendation system. With the rapid increase in the computing power of mobile devices, developers can embed deep learning models into their apps for building more competitive products with more accurate and faster responses. Although there are several works of adversarial attacks against deep learning models in apps, they all need information about the models' internals (i.e., structures and weights) or need to modify the models. In this paper, we propose an effective black-box approach by training substitute models to spoof the deep learning systems inside the apps. We evaluate our approach on 10 real-world deep-learning apps from Google Play to perform black-box adversarial attacks. Through the study, we find three factors that can affect the performance of attacks. Our approach can reach a relatively high attack success rate of 66.60% on average. Compared with other adversarial attacks on mobile deep learning models, in terms of the average attack success rates, our approach outperforms its counterparts by 27.63%.

Yifeng Cai,Ziqi Zhang,Ding Li ,Yao Guo ,Xiangqun Chen

DOI: https://doi.org/10.1145/3605762.3624426

2023-01-01

Abstract:The rapid digitization of various services has led to the emergence of super apps, providing an array of utilities under one application. A common usage scenario of such platforms, such as Alipay, involves shared accounts by multiple users, typically within a family. However, this shared use poses a unique challenge to the security protocols designed to prevent unauthorized access, as they can misinterpret legitimate multi-user behavior as fraudulent activity. In this paper, we explore the complexities involved in accurately discerning such shared usage from potential security threats and investigate current solutions. It aims to stimulate discussion around a more flexible, adaptive, and user-inclusive approach to account security in the evolving landscape of super apps.

Yunhao Liu,Xiaohong Li,Zhiyong Feng,Jianye Hao

DOI: https://doi.org/10.1007/978-3-319-68690-5_19

2017-01-01

Abstract:Android applications can leak sensitive information through collusion, which gives the smartphone users a great security risk. We propose an Android collusion attack detection method based on control flow and data flow analysis. This method gives analysis of data propagation between different applications firstly. And then, a multi-apps program slice model based on both data and control flow are given. Last, the privacy data leakage paths of multi-apps are computed by reaching-definition analysis. Meanwhile, the criterions of mobile device information leakage edge are redefined according to the correlation of mobile devices. Based on the above principle, we implemented an Android collusion attack sensitive information leakage detection tools called CollusionDetector. Case study is carried out for typical collusion attack scenarios and it can obtain better results than existing tools and methods. Experiments show that the analysis of control flow can more accurately find the path of privacy propagation, and more effectively to identify collusion attacks.

Zhibo Zhang,Zhangyue Zhang,Keke Lian,Guangliang Yang,Lei Zhang,Yuan Zhang,Min Yang

DOI: https://doi.org/10.1145/3605762.3624430

2023-01-01

Abstract:Emerging app-in-app ecosystems (e.g., WeChat) provide a lightweight and efficient WebView-based runtime for mini-apps, which frequently load rich web content from remote servers and access sensitive resources via APIs provided by the super-apps (a.k.a. the app-in-app frameworks). Inspired by the content security policy (CSP), super-apps enforce a domain-based allowlist to prevent mini-apps from loading untrusted and malicious web content. In this paper, we observe that the domain-based allowlist mechanism is unreliable in app-in-app ecosystems because it assumes all web pages under the allowlist domain are trusted. To demonstrate such weakness, we propose a novel attack called Trusted Domain Compromise (TDC) Attack, along with two interesting attack vectors, through which attackers can manipulate unsafe domains or URLs to bypass the allowlist check and launch phishing attack or abuse runtime APIs. Thereafter, we conduct the first empirical study on the TDCAttack in the real-world app-in-app ecosystems. Specifically, we investigate the underlying reasons for the failure of the allowlist mechanism and propose an automated analysis framework for identifying TDCAttacks in real-world mini-apps. Our experiment shows that popular app-in-app ecosystems including WeChat, Alipay, and Baidu are all vulnerable to the TDCAttack. Further, we have identified 26 exploitable real-world mini-apps.