ABSTRACT
In recent years, the rise of miniapps, lightweight applications based on WebView, has become a prominent trend in mobile app development. This trend has rapidly expanded on popular social platforms like WeChat, TikTok, Grab, and even Snapchat. In these miniapps, user data is pivotal for providing personalized services and improving user experience. However, there are still shortcomings in identifying the source of sensitive data in miniapps. This paper introduces MUID, an innovative method for detecting user input data in miniapps. MUID integrates an engine that can dynamically test miniapps to overcome the challenges in WebView page extraction, uses a hybrid analysis approach to identify sensitive components, and infers the type of information collected based on contextual hint words. In the evaluation of MUID across 30 popular miniapps randomly selected on WeChat, we demonstrated its high dynamic testing efficiency and its capability to recognize components with a recall rate of 95.74% and a precision rate of 81.32%. The overall precision of MUID is 78.31%, and the recall rate is 92.19%, demonstrating the effectiveness of MUID in conducting security and privacy analyses.
- Benjamin Andow, Akhil Acharya, Dengfeng Li, William Enck, Kapil Singh, and Tao Xie. 2017. Uiref: analysis of sensitive user inputs in android applications. In Proceedings of the 10th ACM Conference on Security and Privacy in Wireless and Mobile Networks. 23--34.Google ScholarDigital Library
- appium. 2023. https://github.com/appium/appium. https://github.com/appium/ appiumGoogle Scholar
- Biplab Deka, Zifeng Huang, Chad Franzen, Joshua Hibschman, Daniel Afergan, Yang Li, Jeffrey Nichols, and Ranjitha Kumar. 2017. Rico: A mobile app dataset for building data-driven design applications. In Proceedings of the 30th annual ACM symposium on user interface software and technology. 845--854.Google ScholarDigital Library
- European Parliament and Council of the European Union. [n. d.]. Regulation (EU) 2016/679 of the European Parliament and of the Council. https://data.europa.eu/ eli/reg/2016/679/ojGoogle Scholar
- explosion. 2023. spaCy: Industrial-strength NLP. https://github.com/explosion/ spaCyGoogle Scholar
- Ming Fan, Jun Liu, Xiapu Luo, Kai Chen, Zhenzhou Tian, Qinghua Zheng, and Ting Liu. 2018. Android malware familial classification and representative sample selection via frequent subgraph analysis. IEEE Transactions on Information Forensics and Security 13, 8 (2018), 1890--1905.Google ScholarCross Ref
- Ming Fan, Xiapu Luo, Jun Liu, Meng Wang, Chunyin Nong, Qinghua Zheng, and Ting Liu. 2019. Graph embedding based familial analysis of android malware using unsupervised learning. In 2019 IEEE/ACM 41st International Conference on Software Engineering (ICSE). IEEE, 771--782.Google ScholarDigital Library
- Ming Fan, Le Yu, Sen Chen, Hao Zhou, Xiapu Luo, Shuyue Li, Yang Liu, Jun Liu, and Ting Liu. 2020. An empirical evaluation of GDPR compliance violations in Android mHealth apps. In 2020 IEEE 31st international symposium on software reliability engineering (ISSRE). IEEE, 253--264.Google ScholarCross Ref
- Google. 2023. Write automated tests with UI Automator | Android Developers. https://developer.android.com/training/testing/other-components/uiautomatorGoogle Scholar
- THOMAS GRAZIANI. [n. d.]. What are WeChat Mini-Programs? A Simple Introduction - WalktheChat. https://walkthechat.com/wechat-mini-programssimple-introduction/Google Scholar
- Jianjun Huang, Zhichun Li, Xusheng Xiao, Zhenyu Wu, Kangjie Lu, Xiangyu Zhang, and Guofei Jiang. 2015. {SUPOR}: Precise and scalable sensitive user input detection for android apps. In 24th USENIX Security Symposium (USENIX Security 15). 977--992.Google Scholar
- lgxqf. 2021. https://github.com/lgxqf/UICrawler. https://github.com/lgxqf/ UICrawlerGoogle Scholar
- Haoran Lu, Luyi Xing, Yue Xiao, Yifan Zhang, Xiaojing Liao, XiaoFeng Wang, and Xueqiang Wang. 2020. Demystifying resource management risks in emerging mobile app-in-app ecosystems. In Proceedings of the 2020 ACM SIGSAC conference on computer and communications Security. 569--585.Google ScholarDigital Library
- Zhengwei Lv, Chao Peng, Zhao Zhang, Ting Su, Kai Liu, and Ping Yang. 2022. Fastbot2: Reusable Automated Model-based GUI Testing for Android Enhanced by Reinforcement Learning. In Proceedings of the 37th IEEE/ACM International Conference on Automated Software Engineering. 1--5.Google ScholarDigital Library
- Yuhong Nan, Min Yang, Zhemin Yang, Shunfan Zhou, Guofei Gu, and XiaoFeng Wang. 2015. {UIPicker}:{User-Input} Privacy Identification in Mobile Applications. In 24th USENIX Security Symposium (USENIX Security 15). 993--1008.Google Scholar
- Yuhong Nan, Zhemin Yang, Min Yang, Shunfan Zhou, Yuan Zhang, Guofei Gu, Xiaofeng Wang, and Limin Sun. 2016. Identifying user-input privacy in mobile applications at a large scale. IEEE Transactions on Information Forensics and Security 12, 3 (2016), 647--661.Google ScholarDigital Library
- Standing Committee of the National People's Congress. 2021. Personal Information Protection Law of the People's Republic of China. http://www.npc.gov.cn/ npc/c30834/202108/a8c4e3672c74491a80b53a172bb753fe.shtmlGoogle Scholar
- Chao Wang, Ronny Ko, Yue Zhang, Yuqing Yang, and Zhiqiang Lin. 2023. Taintmini: Detecting Flow of Sensitive Data in Mini-Programs with Static Taint Analysis. In 2023 IEEE/ACM 45th International Conference on Software Engineering (ICSE). IEEE, 932--944.Google Scholar
- Chao Wang, Yue Zhang, and Zhiqiang Lin. 2023. One Size Does Not Fit All: Uncovering and Exploiting Cross Platform Discrepant {APIs} in {WeChat}. In 32nd USENIX Security Symposium (USENIX Security 23). 6629--6646.Google Scholar
- Chao Wang, Yue Zhang, and Zhiqiang Lin. 2023. Uncovering and Exploiting Hidden APIs in Mobile Super Apps. arXiv preprint arXiv:2306.08134 (2023).Google Scholar
- Xiaoyin Wang, Xue Qin, Mitra Bokaei Hosseini, Rocky Slavin, Travis D Breaux, and Jianwei Niu. 2018. Guileak: Tracing privacy policy claims on user input data for android applications. In Proceedings of the 40th International Conference on Software Engineering. 37--47.Google ScholarDigital Library
- Yin Wang, Ming Fan, Junfeng Liu, Junjie Tao, Wuxia Jin, Qi Xiong, Yuhao Liu, Qinghua Zheng, and Ting Liu. 2023. Do as You Say: Consistency Detection of Data Practice in Program Code and Privacy Policy in Mini-App. arXiv preprint arXiv:2302.13860 (2023).Google Scholar
- WongKinYiu. 2022. https://github.com/WongKinYiu/yolov7. https://github.com/ WongKinYiu/yolov7Google Scholar
- Yuqing Yang, Yue Zhang, and Zhiqiang Lin. 2022. Cross miniapp request forgery: Root causes, attacks, and vulnerability detection. In Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security. 3079--3092.Google ScholarDigital Library
- Lei Zhang, Zhibo Zhang, Ancong Liu, Yinzhi Cao, Xiaohan Zhang, Yanjun Chen, Yuan Zhang, Guangliang Yang, and Min Yang. 2022. Identity confusion in {WebView-based} mobile app-in-app ecosystems. In 31st USENIX Security Symposium (USENIX Security 22). 1597--1613.Google Scholar
- Yue Zhang, Bayan Turkistani, Allen Yuqing Yang, Chaoshun Zuo, and Zhiqiang Lin. 2021. A measurement study of wechat mini-apps. Proceedings of the ACM on Measurement and Analysis of Computing Systems 5, 2 (2021), 1--25Google ScholarDigital Library
Index Terms
- MUID: Detecting Sensitive User Inputs in Miniapp Ecosystems
Recommendations
Cross Miniapp Request Forgery: Root Causes, Attacks, and Vulnerability Detection
CCS '22: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications SecurityA miniapp is a full-fledged app that is executed inside a mobile super app such as WeChat or SnapChat. Being mini by nature, it often has to communicate with other miniapps to accomplish complicated tasks. However, unlike a web app that uses network ...
Detecting and Measuring Misconfigured Manifests in Android Apps
CCS '22: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications SecurityThe manifest file of an Android app is crucial for app security as it declares sensitive app configurations, such as access permissions required to access app components. Surprisingly, we noticed a number of widely-used apps (some with over 500 million ...
Enforcing File System Permissions on Android External Storage: Android File System Permissions (AFP) Prototype and ownCloud
TRUSTCOM '14: Proceedings of the 2014 IEEE 13th International Conference on Trust, Security and Privacy in Computing and CommunicationsMobile devices are fast becoming critical information management tools often storing a range of personal and corporate confidential data often synced from online and cloud based storage services. Mobile device operating system designers are increasing ...
Comments