research-article

TrustedDomain Compromise Attack in App-in-app Ecosystems

Authors:

Zhangyue Zhang,

Guangliang Yang,

Min YangAuthors Info & Claims

SaTS '23: Proceedings of the 2023 ACM Workshop on Secure and Trustworthy Superapps

Pages 51 - 57

https://doi.org/10.1145/3605762.3624430

Published: 26 November 2023 Publication History

Abstract

Emerging app-in-app ecosystems (e.g., WeChat) provide a lightweight and efficient WebView-based runtime for mini-apps, which frequently load rich web content from remote servers and access sensitive resources via APIs provided by the super-apps (a.k.a. the app-in-app frameworks). Inspired by the content security policy (CSP), super-apps enforce a domain-based allowlist to prevent mini-apps from loading untrusted and malicious web content. In this paper, we observe that the domain-based allowlist mechanism is unreliable in app-in-app ecosystems because it assumes all web pages under the allowlist domain are trusted. To demonstrate such weakness, we propose a novel attack called Trusted Domain Compromise (TDC) Attack, along with two interesting attack vectors, through which attackers can manipulate unsafe domains or URLs to bypass the allowlist check and launch phishing attack or abuse runtime APIs. Thereafter, we conduct the first empirical study on the TDCAttack in the real-world app-in-app ecosystems. Specifically, we investigate the underlying reasons for the failure of the allowlist mechanism and propose an automated analysis framework for identifying TDCAttacks in real-world mini-apps. Our experiment shows that popular app-in-app ecosystems including WeChat, Alipay, and Baidu are all vulnerable to the TDCAttack. Further, we have identified 26 exploitable real-world mini-apps.

References

[1]

2019. AQUATONE - A Tool for Domain Flyovers. Retrieved July 20, 2023 from https://github.com/michenriksen/aquatone#installation

[2]

2021. OWASP Top 10 - 2021. Retrieved July 20, 2023 from https://owasp.org/ Top10/

[3]

2023. Content Security Policy (CSP). Retrieved August 9, 2023 from https:// developer.mozilla.org/en-US/docs/Web/HTTP/CSP

[4]

2023. OneForAll. Retrieved July 20, 2023 from https://github.com/shmilylty/ OneForAll

[5]

2023. WebView. Retrieved August 9, 2023 from https://developer.android.com/ reference/android/webkit/WebView

[6]

2023. whois | Kali Linux Tools. Retrieved July 20, 2023 from https://www.kali. org/tools/whois/

[7]

2023. xray. Retrieved July 20, 2023 from https://github.com/chaitin/xray

[8]

Xin Chen, Xi Zhou, Huan Li, Jinlan Li, and Hua Jiang. 2020. The value of WeChat as a source of information on the COVID-19 in China. Preprint]. Bull World Health Organ 30 (2020).

[9]

Ao Cheng, Gang Ren, Taeho Hong, Kichan Nam, and Chulmo Koo. 2019. An exploratory analysis of travel-related WeChat mini program usage: affordance theory perspective. In Information and Communication Technologies in Tourism 2019: Proceedings of the International Conference in Nicosia, Cyprus, January 30-- February 1, 2019. Springer, 333--343.

[10]

Pei Chen Xiaojing Liao Guoyi Ye Geng Hong, Mengying Wu and Min Yang. 2023. Understanding and Detecting Abused Image Hosting Modules as Malicious Services. In 2023 ACM SIGSAC Conference on Computer and Communications Security (CCS '23). ACM.

[11]

Lei Hao, Fucheng Wan, Ning Ma, and Yicheng Wang. 2018. Analysis of the development of WeChat mini program. In Journal of Physics: Conference Series, Vol. 1087. IOP Publishing, 062040.

[12]

Jiajun Hu, Lili Wei, Yepang Liu, and Shing-Chi Cheung. 2023. ??Test: WebViewOriented Testing for Android Applications. arXiv preprint arXiv:2306.03845 (2023).

[13]

Xing Jin, Xunchao Hu, Kailiang Ying, Wenliang Du, Heng Yin, and Gautam Nagesh Peri. 2014. Code injection attacks on html5-based mobile apps: Characterization, detection and mitigation. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security. 66--77.

Digital Library

[14]

Zihao Jin, Shuo Chen, Yang Chen, Haixin Duan, Jianjun Chen, and Jianping Wu. 2023. A Security Study about Electron Applications and a Programming Methodology to Tame DOM Functionalities. In NDSS.

[15]

Wei Li, Borui Yang, Hangyu Ye, Liyao Xiang, Qingxiao Tao, Xinbing Wang, and Chenghu Zhou. 2023. MiniTracker: Large-Scale Sensitive Information Tracking in Mini Apps. IEEE Transactions on Dependable and Secure Computing (2023).

[16]

Qinzhen Liang and Chengyang Chang. 2019. Construction of teaching model based on WeChat Mini-Program. International Journal of Science 16, 1 (2019), 54--59.

[17]

Yi Liu, Jinhui Xie, Jianbo Yang, Shiyu Guo, Yuetang Deng, Shuqing Li, Yechang Wu, and Yepang Liu. 2020. Industry practice of javascript dynamic analysis on wechat mini-programs. In Proceedings of the 35th IEEE/ACM International Conference on Automated Software Engineering. 1189--1193.

Digital Library

[18]

Haoran Lu, Luyi Xing, Yue Xiao, Yifan Zhang, Xiaojing Liao, XiaoFeng Wang, and Xueqiang Wang. 2020. Demystifying resource management risks in emerging mobile app-in-app ecosystems. In Proceedings of the 2020 ACM SIGSAC conference on computer and communications Security. 569--585.

Digital Library

[19]

Qianhui Rao and Eunju Ko. 2021. Impulsive purchasing and luxury brand loyalty in WeChat Mini Program. Asia Pacific Journal of Marketing and Logistics 33, 10 (2021), 2054--2071.

[20]

Gregor Richards, Christian Hammer, Brian Burg, and Jan Vitek. 2011. The eval that men do: A large-scale study of the use of eval in javascript applications. In ECOOP 2011--Object-Oriented Programming: 25th European Conference, Lancaster, Uk, July 25--29, 2011 Proceedings 25. Springer, 52--78.

[21]

Sid Stamm, Brandon Sterne, and Gervase Markham. 2010. Reining in the web with content security policy. In Proceedings of the 19th international conference on World wide web. 921--930.

Digital Library

[22]

Yiling Sui, Tian Wang, and Xiaochun Wang. 2020. The impact of WeChat appbased education and rehabilitation program on anxiety, depression, quality of life, loss of follow-up and survival in non-small cell lung cancer patients who underwent surgical resection. European Journal of Oncology Nursing 45 (2020), 101707.

[23]

Zhenya Tang, Zhongyun Zhou, Feng Xu, and Merrill Warkentin. 2022. Apps within apps: predicting government WeChat mini-program adoption from trust-- risk perspective and innovation diffusion theory. Information Technology & People 35, 3 (2022), 1170--1190. TrustedDomain Compromise Attack in App-in-app Ecosystems SaTS '23, November 26, 2023, Copenhagen, Denmark

[24]

Chao Wang, Ronny Ko, Yue Zhang, Yuqing Yang, and Zhiqiang Lin. 2023. TAINTMINI: Detecting Flow of Sensitive Data in Mini-Programs with Static Taint Analysis. In Proceedings of the 45th International Conference on Software Engineering.

Digital Library

[25]

Feilong Wang, Lily Dongxia Xiao, Kaifa Wang, Min Li, and Yanni Yang. 2017. Evaluation of a WeChat-based dementia-specific training program for nurses in primary care settings: A randomized controlled trial. Applied Nursing Research 38 (2017), 51--59.

[26]

Lukas Weichselbaum, Michele Spagnuolo, Sebastian Lekies, and Artur Janc. 2016. Csp is dead, long live csp! on the insecurity of whitelists and the future of content security policy. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. 1376--1387.

Digital Library

[27]

Feng Xiao, Zheng Yang, Joey Allen, Guangliang Yang, Grant Williams, and Wenke Lee. 2022. Understanding and Mitigating Remote Code Execution Vulnerabilities in Cross-platform Ecosystem. In Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security. 2975--2988.

Digital Library

[28]

Yuqing Yang, Chao Wang, Yue Zhang, and Zhiqiang Lin. 2023. SoK: Decoding the Super App Enigma: The Security Mechanisms, Threats, and Trade-offs in OS-alike Apps. arXiv preprint arXiv:2306.07495 (2023).

[29]

Yuqing Yang, Yue Zhang, and Zhiqiang Lin. 2022. Cross miniapp request forgery: Root causes, attacks, and vulnerability detection. In Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security. 3079--3092.

Digital Library

[30]

Chuan Yue and Haining Wang. 2009. Characterizing insecure JavaScript practices on the web. In Proceedings of the 18th international conference on World wide web. 961--970.

Digital Library

[31]

Jianyi Zhang, Leixin Yang, Yuyang Han, Zixiao Xiang, and Xiali Hei. 2023. A Small Leak Will Sink Many Ships: Vulnerabilities Related to mini-programs Permissions. In 2023 IEEE 47th Annual Computers, Software, and Applications Conference (COMPSAC). IEEE, 595--606.

[32]

Lei Zhang, Zhibo Zhang, Ancong Liu, Yinzhi Cao, Xiaohan Zhang, Yanjun Chen, Yuan Zhang, Guangliang Yang, and Min Yang. 2022. Identity confusion in {WebView-based} mobile app-in-app ecosystems. In 31st USENIX Security Symposium (USENIX Security 22). 1597--1613.

[33]

Yue Zhang, Bayan Turkistani, Allen Yuqing Yang, Chaoshun Zuo, and Zhiqiang Lin. 2021. A measurement study of wechat mini-apps. Proceedings of the ACM on Measurement and Analysis of Computing Systems 5, 2 (2021), 1--25.

Digital Library

[34]

Yue Zhang, Yuqing Yang, and Zhiqiang Lin. 2023. Don't Leak Your Keys: Understanding, Measuring, and Exploiting the AppSecret Leaks in Mini-Programs. arXiv preprint arXiv:2306.08151 (2023).

[35]

Kaina Zhou, Wen Wang, Wenqian Zhao, Lulu Li, Mengyue Zhang, Pingli Guo, Can Zhou, Minjie Li, Jinghua An, Jin Li, et al. 2020. Benefits of a WeChat-based multimodal nursing program on early rehabilitation in postoperative women with breast cancer: a clinical randomized controlled trial. International journal of nursing studies 106 (2020), 103565

Cited By

Zhang ZHou QYing LDiao WGu YLi RGuo SDuan HLuo BLiao XXu JKirda ELie D(2024)MiniCAT: Understanding and Detecting Cross-Page Request Forgery Vulnerabilities in Mini-ProgramsProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3670294(525-539)Online publication date: 2-Dec-2024
https://dl.acm.org/doi/10.1145/3658644.3670294

Index Terms

TrustedDomain Compromise Attack in App-in-app Ecosystems
1. Security and privacy
  1. Software and application security
    1. Web application security

Recommendations

Denial-of-App Attack: Inhibiting the Installation of Android Apps on Stock Phones
SPSM '14: Proceedings of the 4th ACM Workshop on Security and Privacy in Smartphones & Mobile Devices

We describe a novel class of attacks called denial-of-app that allows adversaries to inhibit the future installation of attacker-selected applications on mobile phones. Adversaries can use such attacks to entrap users into installing attacker-preferred ...
Defending Your Android App
RIIT '15: Proceedings of the 4th Annual ACM Conference on Research in Information Technology

In recent years, applications in the Google Play Store have been targets for attackers. Hackers have used a slew of techniques to analyze and modify Android developers' apps. Attackers are modifying app content so they can take advantage of unknowing ...
Demystifying Resource Management Risks in Emerging Mobile App-in-App Ecosystems
CCS '20: Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security

App-in-app is a new and trending mobile computing paradigm in which native app-like software modules, called sub-apps, are hosted by popular mobile apps such as Wechat, Baidu, TikTok and Chrome, to enrich the host app's functionalities and to form an "...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

SaTS '23: Proceedings of the 2023 ACM Workshop on Secure and Trustworthy Superapps

November 2023

70 pages

ISBN:9798400702587

DOI:10.1145/3605762

Program Chairs:
Zhiqiang Lin
The Ohio State University, USA
,
Xiaojing Liao
Indiana University Bloomington, USA

Copyright © 2023 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 26 November 2023

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Shanghai Pilot Program for Basic Research - FuDan University 21TQ1400100
Shanghai Rising-Star Program
National Natural Science Foundation of China
National Key Research and Development Program

Conference

CCS '23

Sponsor:

SIGSAC

CCS '23: ACM SIGSAC Conference on Computer and Communications Security

November 26, 2023

Copenhagen, Denmark

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

1
Total Citations
View Citations
171
Total Downloads

Downloads (Last 12 months)80
Downloads (Last 6 weeks)5

Reflects downloads up to 03 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Zhang ZHou QYing LDiao WGu YLi RGuo SDuan HLuo BLiao XXu JKirda ELie D(2024)MiniCAT: Understanding and Detecting Cross-Page Request Forgery Vulnerabilities in Mini-ProgramsProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3670294(525-539)Online publication date: 2-Dec-2024
https://dl.acm.org/doi/10.1145/3658644.3670294

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten