MUID: Detecting Sensitive User Inputs in Miniapp Ecosystems
Authors: 
Ziqiang Yan, Ming Fan, Yin Wang, Jifei Shi, Haoran Wang, Ting LiuAuthors Info & Claims
Pages 17 - 21
Abstract
In recent years, the rise of miniapps, lightweight applications based on WebView, has become a prominent trend in mobile app development. This trend has rapidly expanded on popular social platforms like WeChat, TikTok, Grab, and even Snapchat. In these miniapps, user data is pivotal for providing personalized services and improving user experience. However, there are still shortcomings in identifying the source of sensitive data in miniapps. This paper introduces MUID, an innovative method for detecting user input data in miniapps. MUID integrates an engine that can dynamically test miniapps to overcome the challenges in WebView page extraction, uses a hybrid analysis approach to identify sensitive components, and infers the type of information collected based on contextual hint words. In the evaluation of MUID across 30 popular miniapps randomly selected on WeChat, we demonstrated its high dynamic testing efficiency and its capability to recognize components with a recall rate of 95.74% and a precision rate of 81.32%. The overall precision of MUID is 78.31%, and the recall rate is 92.19%, demonstrating the effectiveness of MUID in conducting security and privacy analyses.
References
[1]
Benjamin Andow, Akhil Acharya, Dengfeng Li, William Enck, Kapil Singh, and Tao Xie. 2017. Uiref: analysis of sensitive user inputs in android applications. In Proceedings of the 10th ACM Conference on Security and Privacy in Wireless and Mobile Networks. 23--34.
[2]
appium. 2023. https://github.com/appium/appium. https://github.com/appium/ appium
[3]
Biplab Deka, Zifeng Huang, Chad Franzen, Joshua Hibschman, Daniel Afergan, Yang Li, Jeffrey Nichols, and Ranjitha Kumar. 2017. Rico: A mobile app dataset for building data-driven design applications. In Proceedings of the 30th annual ACM symposium on user interface software and technology. 845--854.
[4]
European Parliament and Council of the European Union. [n. d.]. Regulation (EU) 2016/679 of the European Parliament and of the Council. https://data.europa.eu/ eli/reg/2016/679/oj
[5]
explosion. 2023. spaCy: Industrial-strength NLP. https://github.com/explosion/ spaCy
[6]
Ming Fan, Jun Liu, Xiapu Luo, Kai Chen, Zhenzhou Tian, Qinghua Zheng, and Ting Liu. 2018. Android malware familial classification and representative sample selection via frequent subgraph analysis. IEEE Transactions on Information Forensics and Security 13, 8 (2018), 1890--1905.
[7]
Ming Fan, Xiapu Luo, Jun Liu, Meng Wang, Chunyin Nong, Qinghua Zheng, and Ting Liu. 2019. Graph embedding based familial analysis of android malware using unsupervised learning. In 2019 IEEE/ACM 41st International Conference on Software Engineering (ICSE). IEEE, 771--782.
[8]
Ming Fan, Le Yu, Sen Chen, Hao Zhou, Xiapu Luo, Shuyue Li, Yang Liu, Jun Liu, and Ting Liu. 2020. An empirical evaluation of GDPR compliance violations in Android mHealth apps. In 2020 IEEE 31st international symposium on software reliability engineering (ISSRE). IEEE, 253--264.
[9]
Google. 2023. Write automated tests with UI Automator | Android Developers. https://developer.android.com/training/testing/other-components/uiautomator
[10]
THOMAS GRAZIANI. [n. d.]. What are WeChat Mini-Programs? A Simple Introduction - WalktheChat. https://walkthechat.com/wechat-mini-programssimple-introduction/
[11]
Jianjun Huang, Zhichun Li, Xusheng Xiao, Zhenyu Wu, Kangjie Lu, Xiangyu Zhang, and Guofei Jiang. 2015. {SUPOR}: Precise and scalable sensitive user input detection for android apps. In 24th USENIX Security Symposium (USENIX Security 15). 977--992.
[12]
lgxqf. 2021. https://github.com/lgxqf/UICrawler. https://github.com/lgxqf/ UICrawler
[13]
Haoran Lu, Luyi Xing, Yue Xiao, Yifan Zhang, Xiaojing Liao, XiaoFeng Wang, and Xueqiang Wang. 2020. Demystifying resource management risks in emerging mobile app-in-app ecosystems. In Proceedings of the 2020 ACM SIGSAC conference on computer and communications Security. 569--585.
[14]
Zhengwei Lv, Chao Peng, Zhao Zhang, Ting Su, Kai Liu, and Ping Yang. 2022. Fastbot2: Reusable Automated Model-based GUI Testing for Android Enhanced by Reinforcement Learning. In Proceedings of the 37th IEEE/ACM International Conference on Automated Software Engineering. 1--5.
[15]
Yuhong Nan, Min Yang, Zhemin Yang, Shunfan Zhou, Guofei Gu, and XiaoFeng Wang. 2015. {UIPicker}:{User-Input} Privacy Identification in Mobile Applications. In 24th USENIX Security Symposium (USENIX Security 15). 993--1008.
[16]
Yuhong Nan, Zhemin Yang, Min Yang, Shunfan Zhou, Yuan Zhang, Guofei Gu, Xiaofeng Wang, and Limin Sun. 2016. Identifying user-input privacy in mobile applications at a large scale. IEEE Transactions on Information Forensics and Security 12, 3 (2016), 647--661.
[17]
Standing Committee of the National People's Congress. 2021. Personal Information Protection Law of the People's Republic of China. http://www.npc.gov.cn/ npc/c30834/202108/a8c4e3672c74491a80b53a172bb753fe.shtml
[18]
Chao Wang, Ronny Ko, Yue Zhang, Yuqing Yang, and Zhiqiang Lin. 2023. Taintmini: Detecting Flow of Sensitive Data in Mini-Programs with Static Taint Analysis. In 2023 IEEE/ACM 45th International Conference on Software Engineering (ICSE). IEEE, 932--944.
[19]
Chao Wang, Yue Zhang, and Zhiqiang Lin. 2023. One Size Does Not Fit All: Uncovering and Exploiting Cross Platform Discrepant {APIs} in {WeChat}. In 32nd USENIX Security Symposium (USENIX Security 23). 6629--6646.
[20]
Chao Wang, Yue Zhang, and Zhiqiang Lin. 2023. Uncovering and Exploiting Hidden APIs in Mobile Super Apps. arXiv preprint arXiv:2306.08134 (2023).
[21]
Xiaoyin Wang, Xue Qin, Mitra Bokaei Hosseini, Rocky Slavin, Travis D Breaux, and Jianwei Niu. 2018. Guileak: Tracing privacy policy claims on user input data for android applications. In Proceedings of the 40th International Conference on Software Engineering. 37--47.
[22]
Yin Wang, Ming Fan, Junfeng Liu, Junjie Tao, Wuxia Jin, Qi Xiong, Yuhao Liu, Qinghua Zheng, and Ting Liu. 2023. Do as You Say: Consistency Detection of Data Practice in Program Code and Privacy Policy in Mini-App. arXiv preprint arXiv:2302.13860 (2023).
[23]
WongKinYiu. 2022. https://github.com/WongKinYiu/yolov7. https://github.com/ WongKinYiu/yolov7
[24]
Yuqing Yang, Yue Zhang, and Zhiqiang Lin. 2022. Cross miniapp request forgery: Root causes, attacks, and vulnerability detection. In Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security. 3079--3092.
[25]
Lei Zhang, Zhibo Zhang, Ancong Liu, Yinzhi Cao, Xiaohan Zhang, Yanjun Chen, Yuan Zhang, Guangliang Yang, and Min Yang. 2022. Identity confusion in {WebView-based} mobile app-in-app ecosystems. In 31st USENIX Security Symposium (USENIX Security 22). 1597--1613.
[26]
Yue Zhang, Bayan Turkistani, Allen Yuqing Yang, Chaoshun Zuo, and Zhiqiang Lin. 2021. A measurement study of wechat mini-apps. Proceedings of the ACM on Measurement and Analysis of Computing Systems 5, 2 (2021), 1--25
Index Terms
- MUID: Detecting Sensitive User Inputs in Miniapp Ecosystems
Recommendations
Cross Miniapp Request Forgery: Root Causes, Attacks, and Vulnerability Detection
CCS '22: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications SecurityA miniapp is a full-fledged app that is executed inside a mobile super app such as WeChat or SnapChat. Being mini by nature, it often has to communicate with other miniapps to accomplish complicated tasks. However, unlike a web app that uses network ...
Detecting and Measuring Misconfigured Manifests in Android Apps
CCS '22: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications SecurityThe manifest file of an Android app is crucial for app security as it declares sensitive app configurations, such as access permissions required to access app components. Surprisingly, we noticed a number of widely-used apps (some with over 500 million ...
Enforcing File System Permissions on Android External Storage: Android File System Permissions (AFP) Prototype and ownCloud
TRUSTCOM '14: Proceedings of the 2014 IEEE 13th International Conference on Trust, Security and Privacy in Computing and CommunicationsMobile devices are fast becoming critical information management tools often storing a range of personal and corporate confidential data often synced from online and cloud based storage services. Mobile device operating system designers are increasing ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
November 2023
70 pages
Copyright © 2023 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 26 November 2023
Check for updates
Author Tags
Qualifiers
- Research-article
Funding Sources
- Young Talent Fund of Association for Science and Technology in Shaanxi, China
- National Natural Science Foundation of China
- CCF-AFSG Research Fund
- China Postdoctoral Science Foundation
- National Key R&D Program of China
Conference
CCS '23
Sponsor:
CCS '23: ACM SIGSAC Conference on Computer and Communications Security
November 26, 2023
Copenhagen, Denmark
Upcoming Conference
CCS '25
- Sponsor:
- sigsac
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 114Total Downloads
- Downloads (Last 12 months)114
- Downloads (Last 6 weeks)11
Reflects downloads up to 16 Nov 2024
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in