SaTS '23
Proceedings of the 2023 ACM Workshop on Secure and Trustworthy Superapps
Last Update : [26 November, 2023]
SESSION: Session 1: Miniapp Ecosystem and Security Analysis
Systematic Analysis of Security and Vulnerabilities in Miniapps
- Yuyang Han
- Xu Ji
- Zhiqiang Wang
- Jianyi Zhang
The past few years have witnessed a boom of miniapps, as lightweight applications, miniapps are of great importance in the mobile internet sector. Consequently, the security of miniapps can directly impact compromising the integrity of sensitive data, posing a potential threat to user privacy. However, after a thorough review of the various research efforts in miniapp security, we found that their actions in researching the safety of miniapp web interfaces are limited. This paper proposes a triad threat model focusing on users, servers and attackers to mitigate the security risk of miniapps. By following the principle of least privilege and the direction of permission consistency, we design a novel analysis framework for the security risk assessment of miniapps by this model. Then, we analyzed the correlation between the security risk assessment and the threat model associated with the miniapp. This analysis led to identifying potential scopes and categorisations with security risks. In the case study, we identify nine major categories of vulnerability issues, such as SQL injection, logical vulnerabilities and cross-site scripting. We also assessed a total of 50,628 security risk hazards and provide specific examples.
JSLibD: Reliable and Heuristic Detection of Third-party Libraries in Miniapps
- Junjie Tao
- Jifei Shi
- Ming Fan
- Yin Wang
- Junfeng Liu
- Ting Liu
Miniapps have become an indispensable part of people's lives. Meanwhile, the utilization of third-party libraries greatly streamlines, expedites, and enhances the development of miniapps. However, ensuring the security of these third-party libraries presents a challenge, as they may harbor security vulnerabilities, such as plaintext transmission. In this paper, we propose JSLibD, an automated extraction method for third-party libraries in miniapps. Unlike conventional extraction methods that heavily rely on prior knowledge, JSLibD introduces a heuristic prediction approach, comprising two integral components: a whitelist matching method to match the known libraries and a heuristic prediction method to extract the unknown libraries using function call relationships. The results demonstrate that JSLibD can efficiently match known libraries, and accurately predict unknown libraries, achieving an impressive precision rate of 85.9% and a high recall rate of 97.2%.
MUID: Detecting Sensitive User Inputs in Miniapp Ecosystems
- Ziqiang Yan
- Ming Fan
- Yin Wang
- Jifei Shi
- Haoran Wang
- Ting Liu
In recent years, the rise of miniapps, lightweight applications based on WebView, has become a prominent trend in mobile app development. This trend has rapidly expanded on popular social platforms like WeChat, TikTok, Grab, and even Snapchat. In these miniapps, user data is pivotal for providing personalized services and improving user experience. However, there are still shortcomings in identifying the source of sensitive data in miniapps. This paper introduces MUID, an innovative method for detecting user input data in miniapps. MUID integrates an engine that can dynamically test miniapps to overcome the challenges in WebView page extraction, uses a hybrid analysis approach to identify sensitive components, and infers the type of information collected based on contextual hint words. In the evaluation of MUID across 30 popular miniapps randomly selected on WeChat, we demonstrated its high dynamic testing efficiency and its capability to recognize components with a recall rate of 95.74% and a precision rate of 81.32%. The overall precision of MUID is 78.31%, and the recall rate is 92.19%, demonstrating the effectiveness of MUID in conducting security and privacy analyses.
SESSION: Session 2: Security Measures in Miniapp Ecosystem
Towards a Better Super-App Architecture from a Browser Security Perspective
- Yue Wang
- Yao Yao
- Shangcheng Shi
- Weiting Chen
- Lin Huang
As multi-service mobile applications, the super-apps provide users with great convenience and satisfy most of our daily needs. Riding on the increasing popularity of super-apps, researchers from academia and industry have studied multiple aspects of mini-apps regarding security issues, including permission mechanisms, secure communication, access control, etc. However, little effort has been spent to analyze the underlying web technologies employed by super-apps. In this paper, we conduct the first study to understand the security mechanisms of super-apps from a browser perspective. We describe the relationship and significant differences between browsers and super-apps, especially the security features of traditional browsers and the challenges in applying them to super-apps. Further, we propose security guidelines about resources, storage, credentials, and privacy management to build a more secure super-app.
On the Usage-scenario-based Data Minimization in Mini Programs
- Shenao Wang
- Yanjie Zhao
- Kailong Wang
- Haoyu Wang
Mini programs, or MiniApps, have become prevalent in the digital landscape, offering convenience but raising privacy concerns, particularly in data minimization. Existing coarse-grained privacy measures fall short in ensuring effective data minimization due to the complex structure of MiniApps and the specificities of data usage scenarios. This work proposes an innovative end-to-end hybrid analysis framework, comprising three key modules, to analyze fine-grained usage-scenario-based data minimization within MiniApps. The framework constructs the page-transition structure, aligns data collection with specific purposes, and detects violations of data minimization principles. We also outline our plan to evaluate the framework through a large-scale study involving 120K MiniApps. This research represents a significant advancement in the pursuit of responsible data practices within MiniApps, contributing to the broader field of computer science and digital security.
Understanding Dark UI Patterns in the Mobile Ecosystem: A Case Study of Apps in China
- Mengyi Long
- Yue Xu
- Jiangrong Wu
- Qihua Ou
- Yuhong Nan
Dark User Interface (DUI) refers to deceptive UI that lets users do something they do not intend to do, such as clicking and opening an advertisement. Previous research has shown that DUI in mobile apps is becoming an increasing concern for app users. Meanwhile, due to the lack of a dominant app store such as Google Play, mobile apps in China are more difficult to regulate. As a result, user-harmful behaviors such as DUI are more likely to happen. In this paper, we systematically investigate the prevalence, distribution, and the impact of dark UI patterns (as DUI patterns for short) in the mobile ecosystem China. To this end, we first summarize a taxonomy of DUI patterns based on the UI layout, UI element, and user interactions in mobile apps. With this taxonomy, we implement a lightweight pipeline to identify various DUIs from a set of top 150 popular apps. The results of the analysis show that DUIs exist widely in modern applications, with different categories and contexts. Additionally, we extend our analysis to examine DUIs in mini-apps - an emerging type of mobile apps that is with great popularity in China. Our research highlights a number of stealthy dark UI patterns that may bring confusion, or even harmful impacts to app users. Additionally, we show that better regulation and user awareness of DUI in mobile applications are urgently needed.
SESSION: Session 3: Advanced Vulnerabilities and Challenges in Miniapp Ecosystem
MiniTaintDev: Unveiling Mini-App Vulnerabilities through Dynamic Taint Analysis
- Jianjia Yu
- Zifeng Kang
- Yinzhi Cao
The security and privacy issues of mini-apps, which are lightweight apps that run inside host apps such as WeChat, have drawn the interest of researchers recently. We propose MiniTaintDev, a dynamic taint analysis tool for mini-app vulnerability detection, focusing on the detection of data leakage and sensitive API execution. We show MiniTaintDev with proof-of-concept attacks and some preliminary results in the work-in-progress (WIP) paper.
Shared Account Problem in Super Apps
- Yifeng Cai
- Ziqi Zhang
- Ding Li
- Yao Guo
- Xiangqun Chen
The rapid digitization of various services has led to the emergence of super apps, providing an array of utilities under one application. A common usage scenario of such platforms, such as Alipay, involves shared accounts by multiple users, typically within a family. However, this shared use poses a unique challenge to the security protocols designed to prevent unauthorized access, as they can misinterpret legitimate multi-user behavior as fraudulent activity. In this paper, we explore the complexities involved in accurately discerning such shared usage from potential security threats and investigate current solutions. It aims to stimulate discussion around a more flexible, adaptive, and user-inclusive approach to account security in the evolving landscape of super apps.
TrustedDomain Compromise Attack in App-in-app Ecosystems
- Zhibo Zhang
- Zhangyue Zhang
- Keke Lian
- Guangliang Yang
- Lei Zhang
- Yuan Zhang
- Min Yang
Emerging app-in-app ecosystems (e.g., WeChat) provide a lightweight and efficient WebView-based runtime for mini-apps, which frequently load rich web content from remote servers and access sensitive resources via APIs provided by the super-apps (a.k.a. the app-in-app frameworks). Inspired by the content security policy (CSP), super-apps enforce a domain-based allowlist to prevent mini-apps from loading untrusted and malicious web content. In this paper, we observe that the domain-based allowlist mechanism is unreliable in app-in-app ecosystems because it assumes all web pages under the allowlist domain are trusted. To demonstrate such weakness, we propose a novel attack called Trusted Domain Compromise (TDC) Attack, along with two interesting attack vectors, through which attackers can manipulate unsafe domains or URLs to bypass the allowlist check and launch phishing attack or abuse runtime APIs. Thereafter, we conduct the first empirical study on the TDCAttack in the real-world app-in-app ecosystems. Specifically, we investigate the underlying reasons for the failure of the allowlist mechanism and propose an automated analysis framework for identifying TDCAttacks in real-world mini-apps. Our experiment shows that popular app-in-app ecosystems including WeChat, Alipay, and Baidu are all vulnerable to the TDCAttack. Further, we have identified 26 exploitable real-world mini-apps.
Potential Risks Arising from the Absence of Signature Verification in Miniapp Plugins
- Yanjie Zhao
- Yue Zhang
- Haoyu Wang
The advent of mobile super apps has given rise to the miniapp paradigm, a lightweight application model that operates within a JavaScript engine hosted by the primary app. Miniapps now have transformed the app ecosystem, offering easy access, install-less functionality, and a wide array of service offerings. However, the integration of plugins, which are functional components added to miniapps, has introduced potential security concerns. While the underlying framework strives to ensure data security between miniapps and their embedded plugins, vulnerabilities may arise if signature verification is neglected in the plugin's implementation. Although Tencent offers developers guidelines for signature integration, this verification isn't pre-packaged, potentially leading less experienced developers to skip it when incorporating plugins, risking security. Specifically, the lack of signature verification in miniapp plugins can create a potential threat, enabling attackers to manipulate transactions and undermine the integrity of the miniapp. This paper explores the communication mechanisms of miniapps, the function of plugins, and the vital role of signature verification in enhancing the security of transactions and data within this rapidly evolving ecosystem.