ABSTRACT
As multi-service mobile applications, the super-apps provide users with great convenience and satisfy most of our daily needs. Riding on the increasing popularity of super-apps, researchers from academia and industry have studied multiple aspects of mini-apps regarding security issues, including permission mechanisms, secure communication, access control, etc. However, little effort has been spent to analyze the underlying web technologies employed by super-apps. In this paper, we conduct the first study to understand the security mechanisms of super-apps from a browser perspective. We describe the relationship and significant differences between browsers and super-apps, especially the security features of traditional browsers and the challenges in applying them to super-apps. Further, we propose security guidelines about resources, storage, credentials, and privacy management to build a more secure super-app.
- Nataliia Bielova. 2013. Survey on JavaScript security policies and their enforcement mechanisms in a web browser. The Journal of Logic and Algebraic Programming 82, 8 (2013), 243--262.Google ScholarCross Ref
- Nicholas Carlini, Adrienne Porter Felt, and David Wagner. 2012. An Evaluation of the Google Chrome Extension Security Architecture. In 21st USENIX Security Symposium (USENIX Security 12). USENIX Association, Bellevue, WA, 97-- 111. https://www.usenix.org/conference/usenixsecurity12/technical-sessions/ presentation/carliniGoogle Scholar
- Quan Chen and Alexandros Kapravelos. 2018. Mystique: Uncovering Information Leakage from Browser Extensions. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, CCS 2018, Toronto, ON, Canada, October 15--19, 2018, David Lie, Mohammad Mannan, Michael Backes, and XiaoFeng Wang (Eds.). ACM, 1687--1700. https://doi.org/10.1145/3243734.3243823Google ScholarDigital Library
- Chrome. 2023. Google Chrome Browser. Retrieved 2023 from https://www. google.com/chrome/Google Scholar
- Google. 2023. WebView. Retrieved June 7, 2023 from https://developer.android. com/reference/android/webkit/WebViewGoogle Scholar
- Apple Inc. 2023. JavaScriptCore. Retrieved 2023 from https://developer.apple. com/documentation/javascriptcoreGoogle Scholar
- Apple Inc. 2023. Safari Browser. Retrieved 2023 from https://www.apple.com/ safari/Google Scholar
- Google LLC. 2023. V8 (JavaScript engine). Retrieved 2023 from https://v8.dev/Google Scholar
- Haoran Lu, Luyi Xing, Yue Xiao, Yifan Zhang, Xiaojing Liao, XiaoFeng Wang, and Xueqiang Wang. 2020. Demystifying Resource Management Risks in Emerging Mobile App-in-App Ecosystems. In CCS '20: 2020 ACM SIGSAC Conference on Computer and Communications Security, Virtual Event, USA, November 9--13, 2020, Jay Ligatti, Xinming Ou, Jonathan Katz, and Giovanni Vigna (Eds.). ACM, 569--585. https://doi.org/10.1145/3372297.3417255Google ScholarDigital Library
- MDN. 2023. Content Security Policy (CSP). Retrieved July 7, 2023 from https: //developer.mozilla.org/en-US/docs/Web/HTTP/CSPGoogle Scholar
- MDN. 2023. Introduction to the DOM. Retrieved May 21, 2023 from https://developer.mozilla.org/en-US/docs/Web/API/Document_Object_ Model/IntroductionGoogle Scholar
- MDN. 2023. Permissions: revoke() method. Retrieved April 8, 2023 from https://developer.mozilla.org/en-US/docs/Web/API/Permissions/revokeGoogle Scholar
- MDN. 2023. Same-origin policy. Retrieved July 4, 2023 from https://developer. mozilla.org/en-US/docs/Web/Security/Same-origin_policyGoogle Scholar
- MDN. 2023. Secure contexts. Retrieved Jul 4, 2023 from https://developer.mozilla. org/en-US/docs/Web/Security/Secure_ContextsGoogle Scholar
- MDN. 2023. The web and web standards. Retrieved August 22, 2023 from https://developer.mozilla.org/en-US/docs/Learn/Getting_started_with_the_ web/The_web_and_web_standardsGoogle Scholar
- MDN. 2023. Web APIs. Retrieved Feb 20, 2023 from https://developer.mozilla. org/en-US/docs/Web/APIGoogle Scholar
- Lori Perri. 2022. What Is a Superapp? Retrieved September 28, 2022 from https://www.gartner.com/en/articles/what-is-a-superappGoogle Scholar
- Charles Reis, Adam Barth, and Carlos Pizano. 2010. Browser Security: Lessons from Google Chrome Google Chrome developers focused on three key problems to shield the browser from attacks. Communications of the Acm 52, 8 (2010), 45--49.Google ScholarDigital Library
- Dolière Francis Somé. 2019. EmPoWeb: Empowering Web Applications with Browser Extensions. In 2019 IEEE Symposium on Security and Privacy (SP). 227-- 245. https://doi.org/10.1109/SP.2019.00058Google ScholarCross Ref
- W3C. 2022. MiniApp Standardization White Paper version 2. Retrieved July, 2022 from https://www.w3.org/TR/mini-app-white-paper/#api_and_componentGoogle Scholar
- W3C. 2023. Web Standards. Retrieved 2023 from https://www.w3.org/standards/Google Scholar
- Chao Wang, Ronny Ko, Yue Zhang, Yuqing Yang, and Zhiqiang Lin. 2023. Taintmini: Detecting Flow of Sensitive Data in Mini-Programs with Static Taint Analysis. In 2023 IEEE/ACM 45th International Conference on Software Engineering (ICSE). 932--944. https://doi.org/10.1109/ICSE48619.2023.00086Google ScholarDigital Library
- Chao Wang, Yue Zhang, and Zhiqiang Lin. 2023. One Size Does Not Fit All: Uncovering and Exploiting Cross Platform Discrepant APIs in WeChat. In 32nd USENIX Security Symposium, USENIX Security 2023, Anaheim, CA, USA, August 9- 11, 2023, Joseph A. Calandrino and Carmela Troncoso (Eds.). USENIX Association. https://www.usenix.org/conference/usenixsecurity23/presentation/wang-chaoGoogle Scholar
- Chao Wang, Yue Zhang, and Zhiqiang Lin. 2023. Uncovering and Exploiting Hidden APIs in Mobile Super Apps. CoRR abs/2306.08134 (2023). https://doi.org/ 10.48550/arXiv.2306.08134 arXiv:2306.08134Google ScholarCross Ref
- Wiki. 2023. JavaScript engine. Retrieved August 6, 2023 from https://en.wikipedia. org/wiki/JavaScript_engineGoogle Scholar
- wikipedia. 2023. Browser Object Model. Retrieved May 22, 2023 from https: //en.wikipedia.org/wiki/Browser_Object_ModelGoogle Scholar
- wikipedia. 2023. Cross-origin resource sharing. Retrieved July 4, 2023 from https://en.wikipedia.org/wiki/Cross-origin_resource_sharingGoogle Scholar
- Xinyu Xing, Wei Meng, Byoungyoung Lee, Udi Weinsberg, Anmol Sheth, Roberto Perdisci, and Wenke Lee. 2015. Understanding Malvertising Through Ad-Injecting Browser Extensions. In Proceedings of the 24th International Conference on World Wide Web, WWW 2015, Florence, Italy, May 18--22, 2015, Aldo Gangemi, Stefano Leonardi, and Alessandro Panconesi (Eds.). ACM, 1286--1295. https://doi.org/10. 1145/2736277.2741630Google ScholarDigital Library
- Edward Yang, Deian Stefan, John Mitchell, David Mazières, Petr Marchenko, and Brad Karp. 2013. Toward Principled Browser Security. In 14th Workshop on Hot Topics in Operating Systems (HotOS XIV). USENIX Association, Santa Ana Pueblo, NM. https://www.usenix.org/conference/hotos13/session/yangGoogle Scholar
- Yuqing Yang, Chao Wang, Yue Zhang, and Zhiqiang Lin. 2023. SoK: Decoding the Super App Enigma: The Security Mechanisms, Threats, and Trade-offs in OS-alike Apps. arXiv:2306.07495 [cs.CR]Google Scholar
- Yuqing Yang, Yue Zhang, and Zhiqiang Lin. 2022. Cross Miniapp Request Forgery: Root Causes, Attacks, and Vulnerability Detection. In Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security (Los Angeles, CA, USA) (CCS '22). Association for Computing Machinery, New York, NY, USA, 3079--3092. https://doi.org/10.1145/3548606.3560597Google ScholarDigital Library
- Lei Zhang, Zhibo Zhang, Ancong Liu, Yinzhi Cao, Xiaohan Zhang, Yanjun Chen, Yuan Zhang, Guangliang Yang, and Min Yang. 2022. Identity Confusion in WebView-based Mobile App-in-app Ecosystems. In 31st USENIX Security Symposium (USENIX Security 22). USENIX Association, Boston, MA, 1597--1613. https://www.usenix.org/conference/usenixsecurity22/presentation/zhang-leiGoogle Scholar
- Yue Zhang, Bayan Turkistani, Allen Yuqing Yang, Chaoshun Zuo, and Zhiqiang Lin. 2021. A Measurement Study of Wechat Mini-Apps. Proceedings of the ACM on Measurement and Analysis of Computing Systems 5, 2 (2021), 1--25.Google ScholarDigital Library
- Yue Zhang, Yuqing Yang, and Zhiqiang Lin. 2023. Don't Leak Your Keys: Understanding, Measuring, and Exploiting the AppSecret Leaks in MiniPrograms. CoRR abs/2306.08151 (2023). https://doi.org/10.48550/arXiv.2306.08151 arXiv:2306.08151Google ScholarCross Ref
- Jakov Krolo, and Goran Dela?. 2010. Security vulnerabilities in modern web browser architecture. In The 33rd International Convention MIPRO. 1240--1245.Google Scholar
Index Terms
- Towards a Better Super-App Architecture from a Browser Security Perspective
Recommendations
Internet of Things security
The Internet of things (IoT) has recently become an important research topic because it integrates various sensors and objects to communicate directly with one another without human intervention. The requirements for the large-scale deployment of the ...
Better security and privacy for web browsers: a survey of techniques, and a new implementation
FAST'11: Proceedings of the 8th international conference on Formal Aspects of Security and TrustThe web browser is one of the most security critical software components today. It is used to interact with a variety of important applications and services, including social networking services, e-mail services, and e-commerce and e-health ...
Taxonomy and analysis of security protocols for Internet of Things
AbstractThe Internet of Things (IoT) is a system of physical as well as virtual objects (each with networking capabilities incorporated) that are interconnected to exchange and collect information locally or remotely over the Internet. Since ...
Highlights- We first discuss essential security requirements that are needed to secure IoT environment. We also discuss the threat model and various attacks related to ...
Comments