[go: up one dir, main page]
More Web Proxy on the site http://driver.im/ skip to main content
research-article

Identifying Cross-User Privacy Leakage in Mobile Mini-Apps at a Large Scale

Published: 01 January 2024 Publication History

Abstract

With the characteristics of free installation and rich functionalities, mobile mini-apps have become more and more popular in people&#x2019;s daily life. A large amount of sensitive personal data is thus involved in them and shared across users for providing various services, which raises great privacy concerns. However, few researchers have paid attention to the potential privacy risks that may exist when user data is shared across users in mobile mini-apps. In this paper, we introduce a novel privacy risk that is brought forward by cross-user personal data over-delivery (denoted as XPO) in mobile mini-apps. Such a discovered privacy risk is demonstrated to be able to cause serious leakage of diverse user data. To detect XPO risk, a dynamic and lightweight mini-app analysis framework &#x2013; <monospace>XPOScope</monospace> is proposed. <monospace>XPOScope</monospace> is able to automatically identify XPO risk at a large scale. By applying it to 4,273 mini-apps hosted on three popular platforms, i.e., WeChat, Baidu and Alipay, <monospace>XPOScope</monospace> reported 71 vulnerable ones, with a precision of 92.21&#x0025; and a recall of 80.68&#x0025;. In addition to the mere exposure of diverse private user data, case studies performed show that XPO in mini-apps can further lead to impersonation attacks, the infringement of employees&#x2019; privacy, economic loss and even the leakage of sensitive business secrets. The results call for the awareness and actions of mobile mini-app developers to secure cross-user personal data delivery. The code of this work is available at <uri>https://github.com/ppflower/XPOScope</uri>.

References

[1]
L. Zhanget al., “Identity confusion in $WebView-based$ mobile app-in-app ecosystems,” in Proc. 31st USENIX Secur. Symp. (USENIX Secur.), 2022, pp. 1597–1613.
[2]
Y. Zhang, B. Turkistani, A. Y. Yang, C. Zuo, and Z. Lin, “A measurement study of WeChat mini-apps,” ACM Meas. Anal. Comput. Syst., vol. 5, no. 2, pp. 1–25, 2021.
[3]
Z. Yang, M. Yang, Y. Zhang, G. Gu, P. Ning, and X. S. Wang, “AppIntent: Analyzing sensitive data transmission in Android for privacy leakage detection,” in Proc. ACM SIGSAC Conf. Comput. Commun. Secur., 2013, pp. 1043–1054.
[4]
X. Chen and S. Zhu, “DroidJust: Automated functionality-aware privacy leakage analysis for Android applications,” in Proc. 8th ACM Conf. Secur. Privacy Wireless Mobile Netw., 2015, pp. 1–12.
[5]
H. Fu, Z. Zheng, A. K. Das, P. H. Pathak, P. Hu, and P. Mohapatra, “FlowIntent: Detecting privacy leakage from user intention to network traffic mapping,” in Proc. 13th Annu. IEEE Int. Conf. Sens., Commun., Netw. (SECON), Jun. 2016, pp. 1–9.
[6]
H. Fu, Z. Zheng, S. Bose, M. Bishop, and P. Mohapatra, “LeakSemantic: Identifying abnormal sensitive network transmissions in mobile applications,” in Proc. IEEE INFOCOM Conf. Comput. Commun., May 2017, pp. 1–9.
[7]
X. Panet al., “FlowCog: Context-aware semantics extraction and analysis of information flow leaks in Android apps,” in Proc. 27th Usenix Secur. Symp. (USENIX Security), 2018, pp. 1669–1685.
[8]
S. Xiet al., “DeepIntent: Deep icon-behavior learning for detecting intention-behavior discrepancy in mobile apps,” in Proc. ACM SIGSAC Conf. Comput. Commun. Secur., 2019, pp. 2421–2436.
[9]
R. Slavinet al., “Toward a framework for detecting privacy policy violations in Android application code,” in Proc. IEEE/ACM 38th Int. Conf. Softw. Eng. (ICSE), May 2016, pp. 25–36.
[10]
S. Zimmecket al., “Automated analysis of privacy requirements for mobile apps,” in Proc. AAAI Fall Symp. Ser., 2016, pp. 286–296.
[11]
X. Wang, X. Qin, M. B. Hosseini, R. Slavin, T. D. Breaux, and J. Niu, “Guileak: Tracing privacy policy claims on user input data for Android applications,” in Proc. 40th Int. Conf. Softw. Eng. (ICSE), 2018, pp. 37–47.
[12]
B. Andowet al., “Actions speak louder than words: Entity-sensitive privacy policy and data flow analysis with policheck,” in Proc. 29th Usenix Secur. Symp. (USENIX Secur.), 2020, pp. 985–1002.
[13]
W. Koch, A. Chaabane, M. Egele, W. Robertson, and E. Kirda, “Semi-automated discovery of server-based information oversharing vulnerabilities in Android applications,” in Proc. 26th ACM SIGSOFT Int. Symp. Softw. Test. Anal., 2017, pp. 147–157.
[14]
S. Liet al., “Collect responsibly but deliver arbitrarily: A study on cross-user privacy leakage in mobile apps,” in Proc. ACM SIGSAC Conf. Comput. Commun. Secur., Nov. 2022, pp. 1887–1900.
[15]
Huawei. (2023). Huawei App Gallery. [Online]. Available: https://appgallery.huawei.com/
[16]
China National Vulnerability Database. Accessed: 2023. [Online]. Available: https://www.cnvd.org.cn/
[17]
GDPR. (2021). GDPR. Art. 17 Right to Erasure (‘Right to be Forgotten’). [Online]. Available: https://gdpr.eu/article-17-right-to-be-forgotten/
[18]
CCPA. (2021). CCPA. Requests To Delete Personal Information. [Online]. Available: https://oag.ca.gov/privacy/ccpa#sectione
[19]
Personal Information Protection Law of the People’s Republic of China. Accessed: 2023. [Online]. Available: https://www.cac.gov.cn/2021-08/20/c_1631050028355286.htm
[20]
WeChat. (2022). Operating Environment of WeChat Mini-Apps. [Online]. Available: https://developers.weixin.qq.com/miniprogram/dev/framework/quickstart/
[21]
Baidu. (2022). Operating Environment of Baidu Mini-Apps. [Online]. Available: https://smartprogram.baidu.com/docs/develop/framework/operating-environment/
[22]
Google. (2023). UI/Application Exerciser Monkey [Online]. Available: https://developer.android.com/studio/test/other-testing-tools/monkey?hl=en
[23]
Y. Li, Z. Yang, Y. Guo, and X. Chen, “DroidBot: A lightweight UI-guided test input generator for Android,” in Proc. IEEE/ACM 39th Int. Conf. Softw. Eng. Companion (ICSE-C), May 2017, pp. 23–26.
[24]
T. Suet al., “Guided, stochastic model-based GUI testing of Android apps,” in Proc. 11th Joint Meeting Found. Softw. Eng., Aug. 2017, pp. 245–256.
[25]
Google. (2022). Android Uiautomator. [Online]. Available: https://developer.android.com/training/testing/ui-automator
[26]
J. Redmon, S. Divvala, R. Girshick, and A. Farhadi, “You only look once: Unified, real-time object detection,” in Proc. IEEE Conf. Comput. Vis. Pattern Recognit. (CVPR), Jun. 2016, pp. 779–788.
[27]
Google. (2023). Android Debug Bridge. [Online]. Available: https://developer.android.com/studio/command-line/adb/
[28]
C. Aldo and H. Maximilian. (2023). Mitmproxy—An Interactive HTTPS Proxy. [Online]. Available: https://mitmproxy.org/
[29]
Baidu. (2023). PaddleOCR. [Online]. Available: https://github.com/PaddlePaddle/PaddleOCR
[30]
R. Speer, J. Chin, and C. Havasi, “ConceptNet 5.5: An open multilingual graph of general knowledge,” in Proc. 31st AAAI Conf. Artif. Intell. (AAAI), vol. 31, no. 1, 2017, pp. 4444–4451.
[31]
YunYang1994. (2022). TensorFlow Code for Technical Report: YOLOv3: An Incremental Improvement. [Online]. Available: https://github.com/YunYang1994/tensorflow-yolov3
[32]
Patrick. (2023). 3 Reasons Why MD5 is Not Secure. [Online]. Available: https://infosecscout.com/why-md5-is-not-safe/
[33]
MQTT. (2023). MQTT: The Standard for IoT Messaging. [Online]. Available: https://mqtt.org/
[34]
Vulnerability Disclosure Cheat Sheet. Accessed: 2023. [Online]. Available: https://cheatsheetseries.owasp.org/cheatsheets/Vulnerability_Disclosure_Cheat_Sheet.html
[35]
S. R. Choudhary, A. Gorla, and A. Orso, “Automated test input generation for Android: Are we there yet? (E),” in Proc. 30th IEEE/ACM Int. Conf. Automated Softw. Eng. (ASE), Nov. 2015, pp. 429–440.
[36]
Frida. Accessed: 2023. [Online]. Available: https://github.com/frida/frida
[37]
K. Mao, M. Harman, and Y. Jia, “Sapienz: Multi-objective automated testing for Android applications,” in Proc. 25th Int. Symp. Softw. Test. Anal., 2016, pp. 94–105.
[38]
Y. Heet al., “TextExerciser: Feedback-driven text input exercising for Android applications,” in Proc. IEEE Symp. Secur. Privacy (SP), May 2020, pp. 1071–1087.
[39]
WeChat. (2022). Minium Automated Testing of Mini-Apps. [Online]. Available: https://minitest.weixin.qq.com/#/
[40]
H. Luet al., “Demystifying resource management risks in emerging mobile app-in-app ecosystems,” in Proc. 27th ACM SIGSAC Conf. Comput. Commun. Security (CCS), 2020, pp. 569–585.
[41]
G. Yang, J. Huang, and G. Gu, “Automated generation of event-oriented exploits in Android hybrid apps,” in Proc. Netw. Distrib. Syst. Secur. Symp., 2018.
[42]
X. Zhanget al., “An empirical study of web resource manipulation in real-world mobile applications,” in Proc. 27th USENIX Secur. Symp. (USENIX Secur.), 2018, pp. 1183–1198.
[43]
G. Yang, J. Huang, and G. Gu, “$Iframes/Popups$ are dangerous in mobile $WebView$: Studying and mitigating differential context vulnerabilities,” in Proc. 28th USENIX Secur. Symp. (USENIX Secur.), 2019, pp. 977–994.

Cited By

View all
  • (2024)MiniCAT: Understanding and Detecting Cross-Page Request Forgery Vulnerabilities in Mini-ProgramsProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3670294(525-539)Online publication date: 2-Dec-2024

Index Terms

  1. Identifying Cross-User Privacy Leakage in Mobile Mini-Apps at a Large Scale
          Index terms have been assigned to the content through auto-classification.

          Recommendations

          Comments

          Please enable JavaScript to view thecomments powered by Disqus.

          Information & Contributors

          Information

          Published In

          cover image IEEE Transactions on Information Forensics and Security
          IEEE Transactions on Information Forensics and Security  Volume 19, Issue
          2024
          10342 pages

          Publisher

          IEEE Press

          Publication History

          Published: 01 January 2024

          Qualifiers

          • Research-article

          Contributors

          Other Metrics

          Bibliometrics & Citations

          Bibliometrics

          Article Metrics

          • Downloads (Last 12 months)0
          • Downloads (Last 6 weeks)0
          Reflects downloads up to 23 Feb 2025

          Other Metrics

          Citations

          Cited By

          View all
          • (2024)MiniCAT: Understanding and Detecting Cross-Page Request Forgery Vulnerabilities in Mini-ProgramsProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3670294(525-539)Online publication date: 2-Dec-2024

          View Options

          View options

          Figures

          Tables

          Media

          Share

          Share

          Share this Publication link

          Share on social media