Yuyang Han,Xu Ji,Zhiqiang Wang,Jianyi Zhang

DOI: https://doi.org/10.1145/3605762.362443

2023-11-20

Abstract:The past few years have witnessed a boom of miniapps, as lightweight applications, miniapps are of great importance in the mobile internet sector. Consequently, the security of miniapps can directly impact compromising the integrity of sensitive data, posing a potential threat to user privacy. However, after a thorough review of the various research efforts in miniapp security, we found that their actions in researching the safety of miniapp web interfaces are limited. This paper proposes a triad threat model focusing on users, servers and attackers to mitigate the security risk of miniapps. By following the principle of least privilege and the direction of permission consistency, we design a novel analysis framework for the security risk assessment of miniapps by this model. Then, we analyzed the correlation between the security risk assessment and the threat model associated with the miniapp. This analysis led to identifying potential scopes and categorisations with security risks. In the case study, we identify nine major categories of vulnerability issues, such as SQL injection, logical vulnerabilities and cross-site scripting. We also assessed a total of 50,628 security risk hazards and provided specific examples.

Cryptography and Security

Yuqing Yang,Chao Wang,Yue Zhang,Zhiqiang Lin

DOI: https://doi.org/10.48550/arXiv.2306.07495

2023-06-13

Abstract:The super app paradigm, exemplified by platforms such as WeChat and AliPay, has revolutionized the mobile app landscape by enabling third-party developers to deploy add-ons within these apps. These add-ons, known as miniapps, leverage user data hosted by the super app platforms to provide a wide range of services, such as shopping and gaming. With the rise of miniapps, super apps have transformed into "operating systems", offering encapsulated APIs to miniapp developers as well as in-app miniapp stores for users to explore and download miniapps. In this paper, we provide the first systematic study to consolidate the current state of knowledge in this field from the security perspective: the security measures, threats, and trade-offs of this paradigm. Specifically, we summarize 13 security mechanisms and 10 security threats in super app platforms, followed by a root cause analysis revealing that the security assumptions still may be violated due to issues in underlying systems, implementation of isolation, and vetting. Additionally, we also systematize open problems and trade-offs that need to be addressed by future works to help enhance the security and privacy of this new paradigm.

Cryptography and Security

Zhibo Zhang,Lei Zhang,Guangliang Yang,Yanjun Chen,Jiahao Xu,Min Yang

DOI: https://doi.org/10.1109/tifs.2024.3390553

IF: 7.231

2024-01-01

IEEE Transactions on Information Forensics and Security

Abstract:In app-in-app ecosystems, mobile applications (i.e., host apps) often delegate their rich resources to hosted parties (i.e., sub-apps), which can be utilized to provide millions of effective services including shopping, banking, and government. These resources vary from system abilities (e.g., web socket and GPS location) to app and user data (e.g., storage and phone number). This leads to an important research question-carefully design and enforce security regulations on these cross-party delegated resources (CPDR). Real-world host apps, according to our study, adopt 11 common security regulations in protecting the integrity, confidentiality, and availability of CPDR. However, existing practice and compliance between host apps and sub-apps are vague and inconsistent, leading to violations of these security regulations. To the best of our knowledge, no prior works have studied these security regulations. In this paper, we perform the first systematic study of the security regulations and their security weaknesses in real-world app-in-app ecosystems. We propose three novel attack vectors including masquerade attack, data-driven attack, and channel hijacking. We find that violations of the common security regulations are widespread among all 9 studied app-in-app ecosystems. More importantly, such security weakness can lead to severe consequences such as manipulating sub-apps' back-end servers and stealing sensitive user data. We responsibly report all of our findings to host app developers of affected app-in-app ecosystems and help them fix their vulnerabilities. The code of this work is available at https://github.com/TitaniumB/MiniAppSecurity.git.

Jianyi Zhang,Leixin Yang,Yuyang Han,Zhi Sun,Zixiao Xiang

DOI: https://doi.org/10.48550/arXiv.2205.15202

2022-05-30

Cryptography and Security

Abstract:As a new format of mobile application, mini programs, which function within a larger app and are built with HTML, CSS, and JavaScript web technology, have become the way to do almost everything in China. This paper presents our research on the permissions of mini programs. We conducted a systematic study on 9 popular mobile app ecosystems, which host over 7 million mini programs, and tested over 2,580 APIs to understand these emerging systems better. We extracted a common abstracted model for mini programs permission control and revealed six categories of potential security vulnerabilities in the permission environments. It is alarming that the current popular mobile app ecosystems (host apps) under study have at least one security vulnerability. We present the corresponding attack methods to dissect these potential weaknesses further to exploit the discovered vulnerabilities. To prove that the revealed vulnerabilities may cause severe consequences in real-world use, we show three kinds of attacks related to the mini programs' permissions. We have responsibly disclosed the newly discovered vulnerabilities, officially confirmed and revised. Finally, we put forward systematic suggestions to strengthen the standardization of mini programs.

Yuqing Yang,Yue Zhang,Zhiqiang Lin

DOI: https://doi.org/10.1145/3548606.3560597

2022-01-01

Abstract:A miniapp is a full-fledged app that is executed inside a mobile super app such as WeChat or SnapChat. Being mini by nature, it often has to communicate with other miniapps to accomplish complicated tasks. However, unlike a web app that uses network domains (i.e., IP addresses) to navigate between different web apps, a miniapp uses a unique global appId assigned by the super app to navigate between miniapps. Unfortunately, any missing checks of the sender's appId in a receiver miniapp can lead to a new type of attacks we name it cross-miniapp request forgery (CMRF). In addition to demystifying the root cause of this attack (i.e., the essence of the vulnerability), this paper also seeks to measure the popularity of this vulnerability among miniapps by developing CmrfScanner, which is able to statically detect the CMRF-vulnerability based on the abstract syntax tree of miniapp code to determine whether there are any missing checks of the appIds. We have tested CmrfScanner with 2,571,490 WeChat miniapps and 148,512 Baidu miniapps, and identified 52,394 (2.04%) WeChat miniapps and 494 (0.33%) Baidu miniapps that involve cross-communication. Among them, CmrfScanner further identified that 50,281 (95.97%) of WeChat miniapps, and 493 (99.80%) of Baidu miniapps lack the appID checks of the sender's mini-apps, indicating that a large amount of miniapp developers are not aware of this attack. We also estimated the impact of this vulnerability and found 55.05% of the lack of validation WeChat miniapps (7.09% of such Baidu miniapps) can have direct security consequences such as privileged data access, information leakage, promotion abuse, and even shopping for free. We hope that our findings can raise awareness among miniapp developers, and future miniapps will not be subject to CMRF attacks.

Shuai Li,Zhemin Yang,Yunteng Yang,Dingyi Liu,Min Yang

DOI: https://doi.org/10.1109/tifs.2024.3356197

IF: 7.231

2024-02-14

IEEE Transactions on Information Forensics and Security

Abstract:With the characteristics of free installation and rich functionalities, mobile mini-apps have become more and more popular in people's daily life. A large amount of sensitive personal data is thus involved in them and shared across users for providing various services, which raises great privacy concerns. However, few researchers have paid attention to the potential privacy risks that may exist when user data is shared across users in mobile mini-apps. In this paper, we introduce a novel privacy risk that is brought forward by cross-user personal data over-delivery (denoted as XPO) in mobile mini-apps. Such a discovered privacy risk is demonstrated to be able to cause serious leakage of diverse user data. To detect XPO risk, a dynamic and lightweight mini-app analysis framework – XPOScope is proposed. XPOScope is able to automatically identify XPO risk at a large scale. By applying it to 4,273 mini-apps hosted on three popular platforms, i.e., WeChat, Baidu and Alipay, XPOScope reported 71 vulnerable ones, with a precision of 92.21% and a recall of 80.68%. In addition to the mere exposure of diverse private user data, case studies performed show that XPO in mini-apps can further lead to impersonation attacks, the infringement of employees' privacy, economic loss and even the leakage of sensitive business secrets. The results call for the awareness and actions of mobile mini-app developers to secure cross-user personal data delivery. The code of this work is available at https://github.com/ppflower/XPOScope.

computer science, theory & methods,engineering, electrical & electronic

Supraja Baskaran,Lianying Zhao,Mohammad Mannan,Amr Youssef

DOI: https://doi.org/10.48550/arXiv.2307.09317

2023-07-18

Abstract:We conduct a large-scale measurement of developers' insecure practices leading to mini-app to super-app authentication bypass, among which hard-coding developer secrets for such authentication is a major contributor. We also analyze the exploitability and security consequences of developer secret leakage in mini-apps by examining individual super-app server-side APIs. We develop an analysis framework for measuring such secret leakage, and primarily analyze 110,993 WeChat mini-apps, and 10,000 Baidu mini-apps (two of the most prominent super-app platforms), along with a few more datasets to test the evolution of developer practices and platform security enforcement over time. We found a large number of WeChat mini-apps (36,425, 32.8%) and a few Baidu mini-apps (112) leak their developer secrets, which can cause severe security and privacy problems for the users and developers of mini-apps. A network attacker who does not even have an account on the super-app platform, can effectively take down a mini-app, send malicious and phishing links to users, and access sensitive information of the mini-app developer and its users. We responsibly disclosed our findings and also put forward potential directions that could be considered to alleviate/eliminate the root causes of developers hard-coding the app secrets in the mini-app's front-end code.

Cryptography and Security

Yin Wang,Ming Fan,Junfeng Liu,Junjie Tao,Wuxia Jin,Qi Xiong,Yuhao Liu,Qinghua Zheng,Ting Liu

DOI: https://doi.org/10.48550/arXiv.2302.13860

2023-02-27

Cryptography and Security

Abstract:Mini-app is an emerging form of mobile application that combines web technology with native capabilities. Its features, e.g., no need to download and no installation, have made it popular rapidly. However, privacy issues that violate the laws or regulations are breeding in the swiftly expanding mini-app ecosystem. The consistency between what the mini-app does about the data in the program code and what it declares in its privacy policy description is important. But no work has systematically investigated the privacy problem of the mini-app before. In this paper, to our best knowledge, we are the first to conduct the compliance detection of data practice and policy description in mini-apps. In this paper, we first customize a taint analysis method based on data entity dependency network to adapt to the characteristics of the JavaScript language in the mini-apps. Then, we transform data types and data operations to data practices in program codes and privacy policies, so as to finish a fine-grained consistency matching model.We crawl 100,000 mini-apps on WeChat client in the wild and extract 2,998 with a privacy policy. Among them, only 318 meet the consistency requirements, 2,680 are inconsistent, and the proportion of inconsistencies is as high as 89.4%. The inconsistency in the mini-app is very serious. Based on 6 real-world cases analyzed, in order to reduce this potential data leakage risk, we suggest that the developer should reduce the collection of irrelevant information and the straightforward use of templates, and the platform should provide data flow detection tools and privacy policy writing support.

Shenao Wang,Yuekang Li,Kailong Wang,Yi Liu,Hui Li,Yang Liu,Haoyu Wang

2024-01-16

Abstract:The advent of MiniApps, operating within larger SuperApps, has revolutionized user experiences by offering a wide range of services without the need for individual app downloads. However, this convenience has raised significant privacy concerns, as these MiniApps often require access to sensitive data, potentially leading to privacy violations. Our research addresses the critical gaps in the analysis of MiniApps' privacy practices, especially focusing on WeChat MiniApps in the Android ecosystem. Despite existing privacy regulations and platform guidelines, there is a lack of effective mechanisms to safeguard user privacy fully. We introduce MiniScope, a novel two-phase hybrid analysis approach, specifically designed for the MiniApp environment. This approach overcomes the limitations of existing static analysis techniques by incorporating dynamic UI exploration for complete code coverage and accurate privacy practice identification. Our methodology includes modeling UI transition states, resolving cross-package callback control flows, and automated iterative UI exploration. This allows for a comprehensive understanding of MiniApps' privacy practices, addressing the unique challenges of sub-package loading and event-driven callbacks. Our empirical evaluation of over 120K MiniApps using MiniScope demonstrates its effectiveness in identifying privacy inconsistencies. The results reveal significant issues, with 5.7% of MiniApps over-collecting private data and 33.4% overclaiming data collection. These findings emphasize the urgent need for more precise privacy monitoring systems and highlight the responsibility of SuperApp operators to enforce stricter privacy measures.

Cryptography and Security,Software Engineering

Chiachih Wu,Yajin Zhou,Kunal Patel,Zhenkai Liang,Xuxian Jiang

DOI: https://doi.org/10.14722/ndss.2014.23164

2014-01-01

Abstract:Recent years have experienced explosive growth of smartphone sales. Inevitably, the rise in the popularity of smartphones also makes them an attractive target for attacks. In light of these threats, current mobile platform providers have developed various server-side vetting processes to block malicious applications (“apps”). While helpful, they are still far from ideal in achieving their goals. To make matters worse, the presence of alternative (less-regulated) mobile marketplaces also opens up new attack vectors, which necessitate client-side solutions (e.g., mobile anti-virus software) to run on mobile devices. However, existing client-side solutions still exhibit limitations in their capability or deployability. In this paper, we present AirBag, a lightweight OS-level virtualization approach to enhance the popular Android platform and boost our defense capability against mobile malware infection. Assuming a trusted smartphone OS kernel and the fact that untrusted apps will be eventually installed onto users’ phones, AirBag is designed to isolate and prevent them from infecting our normal systems (e.g., corrupting the phone firmware) or stealthily leaking private information. More specifically, by dynamically creating an isolated runtime environment with its own dedicated namespace and virtualized system resources, AirBag not only allows for transparent execution of untrusted apps, but also effectively mediates their access to various system resources or phone functionalities (e.g., SMSs or phone calls). We have implemented a proof-of-concept prototype on three representative mobile devices, i.e., Google Nexus One, Nexus 7, and Samsung Galaxy S III. The evaluation results with a number of untrusted apps, including real-world mobile malware, demonstrate its practicality and effectiveness.

Yajin Zhou,Kapil Singh,Xuxian Jiang

DOI: https://doi.org/10.1007/978-3-319-08593-7_4

2014-01-01

Abstract:Modern smartphone apps tend to contain and use vast amounts of data that can be broadly classified as structured and unstructured. Structured data, such as an user's geolocation, has predefined semantics that can be retrieved by well-defined platform APIs. Unstructured data, on the other hand, relies on the context of the apps to reflect its meaning and value, and is typically provided by the user directly into an app's interface. Recent research has shown that third-party apps are leaking highly-sensitive unstructured data, including user's banking credentials. Unfortunately, none of the current solutions focus on the protection of unstructured data. In this paper, we propose an owner-centric solution to protect unstructured data on smartphones. Our approach allows the data owners to specify security policies when providing their untrusted data to third-party apps. It tracks the flow of information to enforce the owner's policies at strategic exit points. Based on this approach, we design and implement a system, called <Literal>DataChest</Literal>. We develop several mechanisms to reduce user burden and keep interruption to the minimum, while at the same time preventing the malicious apps from tricking the user. We evaluate our system against a set of real-world malicious apps and a series of synthetic attacks to show that it can successfully prevent the leakage of unstructured data while incurring reasonable performance overhead.

Yue Zhang,Yuqing Yang,Zhiqiang Lin

DOI: https://doi.org/10.48550/arXiv.2306.08151

2023-06-13

Cryptography and Security

Abstract:Mobile mini-programs in WeChat have gained significant popularity since their debut in 2017, reaching a scale similar to that of Android apps in the Play Store. Like Google, Tencent, the provider of WeChat, offers APIs to support the development of mini-programs and also maintains a mini-program market within the WeChat app. However, mini-program APIs often manage sensitive user data within the social network platform, both on the WeChat client app and in the cloud. As a result, cryptographic protocols have been implemented to secure data access. In this paper, we demonstrate that WeChat should have required the use of the "appsecret" master key, which is used to authenticate a mini-program, to be used only in the mini-program back-end. If this key is leaked in the front-end of the mini-programs, it can lead to catastrophic attacks on both mini-program developers and users. Using a mini-program crawler and a master key leakage inspector, we measured 3,450,586 crawled mini-programs and found that 40,880 of them had leaked their master keys, allowing attackers to carry out various attacks such as account hijacking, promotion abuse, and service theft. Similar issues were confirmed through testing and measuring of Baidu mini-programs too. We have reported these vulnerabilities and the list of vulnerable mini-programs to Tencent and Baidu, which awarded us with bug bounties, and also Tencent recently released a new API to defend against these attacks based on our findings.

Lei Zhang,Zhibo Zhang,Ancong Liu,Yinzhi Cao,Xiaohan Zhang,Yanjun Chen,Yuan Zhang,Guangliang Yang,Min Yang

2022-01-01

Abstract:Mobile applications (apps) often delegate their own functions to other parties, which makes them become a super ecosystem hosting these parties. Therefore, such mobile apps are being called super-apps, and the delegated parties are subsequently called sub-apps, behaving like "app-in-app". Sub-apps not only load (third-party) resources like a normal app, but also have access to the privileged APIs provided by the super-app. This leads to an important research question-determining who can access these privileged APIs. Real-world super-apps, according to our study, adopt three types of identities-namely web domains, sub-app IDs, and capabilities-to determine privileged API access. However, existing identity checks of these three types are often not well designed, leading to a disobey of the least privilege principle. That is, the granted recipient of a privileged API is broader than intended, thus defined as an "identity confusion" in this paper. To the best of our knowledge, no prior works have studied this type of identity confusion vulnerability. In this paper, we perform the first systematic study of identity confusion in real-world app-in-app ecosystems. We find that confusions of the aforementioned three types of identities are widespread among all 47 studied super-apps. More importantly, such confusions lead to severe consequences such as manipulating users' financial accounts and installing malware on a smartphone. We responsibly reported all of our findings to developers of affected super-apps, and helped them to fix their vulnerabilities.

Chao Wang,Yue Zhang,Zhiqiang Lin

DOI: https://doi.org/10.48550/arXiv.2306.08134

2023-06-13

Cryptography and Security

Abstract:Mobile applications, particularly those from social media platforms such as WeChat and TikTok, are evolving into "super apps" that offer a wide range of services such as instant messaging and media sharing, e-commerce, e-learning, and e-government. These super apps often provide APIs for developers to create "miniapps" that run within the super app. These APIs should have been thoroughly scrutinized for security. Unfortunately, we find that many of them are undocumented and unsecured, potentially allowing miniapps to bypass restrictions and gain higher privileged access. To systematically identify these hidden APIs before they are exploited by attackers, we developed a tool APIScope with both static analysis and dynamic analysis, where static analysis is used to recognize hidden undocumented APIs, and dynamic analysis is used to confirm whether the identified APIs can be invoked by an unprivileged 3rdparty miniapps. We have applied APIScope to five popular super apps (i.e., WeChat, WeCom, Baidu, QQ, and Tiktok) and found that all of them contain hidden APIs, many of which can be exploited due to missing security checks. We have also quantified the hidden APIs that may have security implications by verifying if they have access to resources protected by Android permissions. Furthermore, we demonstrate the potential security hazards by presenting various attack scenarios, including unauthorized access to any web pages, downloading and installing malicious software, and stealing sensitive information. We have reported our findings to the relevant vendors, some of whom have patched the vulnerabilities and rewarded us with bug bounties.

Liming Jiang

DOI: https://doi.org/10.48550/arXiv.2402.07367

2024-02-12

Cryptography and Security

Abstract:Mini-applications, commonly referred to as mini-apps, are compact software programs embedded within larger applications or platforms, offering targeted functionality without the need for separate installations. Typically web-based or cloud-hosted, these mini-apps streamline user experiences by providing focused services accessible through web browsers or mobile apps. Their simplicity, speed, and integration capabilities make them valuable additions to messaging platforms, social media networks, e-commerce sites, and various digital environments. WeChat Mini Programs, a prominent feature of China's leading messaging app, exemplify this trend, offering users a seamless array of services without additional downloads. Leveraging WeChat's extensive user base and payment infrastructure, Mini Programs facilitate efficient transactions and bridge online and offline experiences, shaping China's digital landscape significantly. This paper investigates the potential of employing Large Language Models (LLMs) to detect privacy breaches within WeChat Mini Programs. Given the widespread use of Mini Programs and growing concerns about data privacy, this research seeks to determine if LLMs can effectively identify instances of privacy leakage within this ecosystem. Through meticulous analysis and experimentation, we aim to highlight the efficacy of LLMs in safeguarding user privacy and security within the WeChat Mini Program environment, thereby contributing to a more secure digital landscape.

Ziyi Zhou,Xing Han,Zeyuan Chen,Yuhong Nan,Juanru Li,Dawu Gu

DOI: https://doi.org/10.1109/dsn53405.2022.00059

2022-01-01

Abstract:A recently emerged cellular network based One-Tap Authentication (OTAuth) scheme allows app users to quickly sign up or log in to their accounts conveniently: Mobile Network Operator (MNO) provided tokens instead of user passwords are used as identity credentials. After conducting a first in-depth security analysis, however, we have revealed several fundamental design flaws among popular OTAuth services, which allow an adversary to easily (1) perform unauthorized login and register new accounts as the victim, (2) illegally obtain identities of victims, and (3) interfere OTAuth services of legitimate apps. To further evaluate the impact of our identified issues, we propose a pipeline that integrates both static and dynamic analysis. We examined 1,025/894 Android/iOS apps, each app holding more than 100 million installations. We confirmed 396/398 Android/iOS apps are affected. Our research systematically reveals the threats against OTAuth services. Finally, we provide suggestions on how to mitigate these threats accordingly.

Shi Meng,Liu Wang,Shenao Wang,Kailong Wang,Xusheng Xiao,Guangdong Bai,Haoyu Wang

DOI: https://doi.org/10.1109/ase56229.2023.00151

2024-01-01

Abstract:Mini-programs (MiniApps), lightweight versions of full-featured mobile apps that run inside a host app such as WeChat, have become increasingly popular due to their simplified and convenient user experiences. However, MiniApps raise new security and privacy concerns as they can access partially or all of host apps' system resources, including sensitive personal data. While taint detection has been proven effective in addressing this kind of concerns, existing taint detection techniques for mobile apps cannot be directly applied to MiniApps. The main reason is that the key logics of MiniApps are usually written in J avaScript, and its intrinsic characteristics (function-level scope, dynamic types, synchronous programming, and code obfuscation) prevent existing taint detection techniques from precisely propagating the taints. To address this problem, we propose a novel taint detection technique, Wemint, that detects sensitive information leaks in MiniApps. Specifically, Wemint facilitates taint propagation via building a context-based model based on the operational prin-ciple of MiniApps and J avaScript, and addresses asynchronous function calls by modeling their callbacks explicitly in taint rules. In addition, due to the adoption of Abstract Syntax Trees (ASTs) for code representation during taint detection, Wemint exhibits better robustness against the commonly-applied code obfuscation. Our experimental results show that Wemint can effectively detect sensitive information leaks in WeChat MiniApps, as well as trace the path of sensitive data flows. By applying Wemint to over 20K suspicious MiniApps, we found that over 7.5K (36.5 %) of them have sensitive data leaks, and Wemint outperforms the state-of-the-art DoubleX based techniques in detecting these leaks.

Haoyu Wang,Hongxuan Liu,Xusheng Xiao,Guozhu Meng,Yao Guo

DOI: https://doi.org/10.1109/ase.2019.00035

2019-01-01

Abstract:In the app releasing process, Android requires all apps to be digitally signed with a certificate before distribution. Android uses this certificate to identify the author and ensure the integrity of an app. However, a number of signature issues have been reported recently, threatening the security and privacy of Android apps. In this paper, we present the first large-scale systematic measurement study on issues related to Android app signatures. We first create a taxonomy covering four types of app signing issues (21 anti-patterns in total), including vulnerabilities, potential attacks, release bugs and compatibility issues. Then we developed an automated tool to characterize signature-related issues in over 5 million app items (3 million distinct apks) crawled from Google Play and 24 alternative Android app markets. Our empirical findings suggest that although Google has introduced apk-level signing schemes (V2 and V3) to overcome some of the known security issues, more than 93% of the apps still use only the JAR signing scheme (V1), which poses great security threats. Besides, we also revealed that 7% to 45% of the apps in the 25 studied markets have been found containing at least one signing issue, while a large number of apps have been exposed to security vulnerabilities, attacks and compatibility issues. Among them a considerable number of apps we identified are popular apps with millions of downloads. Finally, our evolution analysis suggested that most of the issues were not mitigated after a considerable amount of time across markets. The results shed light on the emergency for detecting and repairing the app signing issues.

Yifeng Cai,Ziqi Zhang,Ding Li ,Yao Guo ,Xiangqun Chen

DOI: https://doi.org/10.1145/3605762.3624426

2023-01-01

Abstract:The rapid digitization of various services has led to the emergence of super apps, providing an array of utilities under one application. A common usage scenario of such platforms, such as Alipay, involves shared accounts by multiple users, typically within a family. However, this shared use poses a unique challenge to the security protocols designed to prevent unauthorized access, as they can misinterpret legitimate multi-user behavior as fraudulent activity. In this paper, we explore the complexities involved in accurately discerning such shared usage from potential security threats and investigate current solutions. It aims to stimulate discussion around a more flexible, adaptive, and user-inclusive approach to account security in the evolving landscape of super apps.

Zhibo Zhang,Zhangyue Zhang,Keke Lian,Guangliang Yang,Lei Zhang,Yuan Zhang,Min Yang

DOI: https://doi.org/10.1145/3605762.3624430

2023-01-01

Abstract:Emerging app-in-app ecosystems (e.g., WeChat) provide a lightweight and efficient WebView-based runtime for mini-apps, which frequently load rich web content from remote servers and access sensitive resources via APIs provided by the super-apps (a.k.a. the app-in-app frameworks). Inspired by the content security policy (CSP), super-apps enforce a domain-based allowlist to prevent mini-apps from loading untrusted and malicious web content. In this paper, we observe that the domain-based allowlist mechanism is unreliable in app-in-app ecosystems because it assumes all web pages under the allowlist domain are trusted. To demonstrate such weakness, we propose a novel attack called Trusted Domain Compromise (TDC) Attack, along with two interesting attack vectors, through which attackers can manipulate unsafe domains or URLs to bypass the allowlist check and launch phishing attack or abuse runtime APIs. Thereafter, we conduct the first empirical study on the TDCAttack in the real-world app-in-app ecosystems. Specifically, we investigate the underlying reasons for the failure of the allowlist mechanism and propose an automated analysis framework for identifying TDCAttacks in real-world mini-apps. Our experiment shows that popular app-in-app ecosystems including WeChat, Alipay, and Baidu are all vulnerable to the TDCAttack. Further, we have identified 26 exploitable real-world mini-apps.