Abstract
Mini-programs (MiniApps), lightweight versions of full-featured mobile apps that run inside a host app such as WeChat, have become increasingly popular due to their simplified and convenient user experiences. However, MiniApps raise new security and privacy concerns as they can access partially or all of host apps' system resources, including sensitive personal data. While taint detection has been proven effective in addressing this kind of concerns, existing taint detection techniques for mobile apps cannot be directly applied to MiniApps. The main reason is that the key logics of MiniApps are usually written in JavaScript, and its intrinsic characteristics (function-level scope, dynamic types, synchronous programming, and code obfuscation) prevent existing taint detection techniques from precisely propagating the taints. To address this problem, we propose a novel taint detection technique, Wemint, that detects sensitive information leaks in MiniApps. Specifically, Wemint facilitates taint propagation via building a context-based model based on the operational principle of MiniApps and JavaScript, and addresses asynchronous function calls by modeling their callbacks explicitly in taint rules. In addition, due to the adoption of Abstract Syntax Trees (ASTs) for code representation during taint detection, Wemint exhibits better robustness against the commonly-applied code obfuscation. Our experimental results show that Wemint can effectively detect sensitive information leaks in WeChat MiniApps, as well as trace the path of sensitive data flows. By applying Wemint to over 20K suspicious MiniApps, we found that over 7.5K (36.5 %) of them have sensitive data leaks, and Wemint outperforms the state-of-the-art DoubleX based techniques in detecting these leaks. © 2023 IEEE.
| Original language | English |
|---|---|
| Title of host publication | Proceedings - 2023 38th IEEE/ACM International Conference on Automated Software Engineering, ASE 2023 |
| Publisher | IEEE |
| Pages | 1403-1415 |
| Number of pages | 13 |
| ISBN (Electronic) | 979-8-3503-2996-4 |
| ISBN (Print) | 979-8-3503-2997-1 |
| DOIs | |
| Publication status | Published - 2023 |
| Externally published | Yes |
| Event | 38th IEEE/ACM International Conference on Automated Software Engineering (ASE 2023) - European Convention Center Luxembourg (ECCL), Echternach, Luxembourg Duration: 11 Sept 2023 → 15 Sept 2023 https://conf.researchr.org/home/ase-2023 |
Publication series
| Name | Proceedings - IEEE/ACM International Conference on Automated Software Engineering, ASE |
|---|---|
| ISSN (Print) | 1938-4300 |
| ISSN (Electronic) | 2643-1572 |
Conference
| Conference | 38th IEEE/ACM International Conference on Automated Software Engineering (ASE 2023) |
|---|---|
| Place | Luxembourg |
| City | Echternach |
| Period | 11/09/23 → 15/09/23 |
| Internet address |
Funding
This work was supported in part by National Key R&D Program of China (2021YFB2701000), the National Natural Science Foundation of China (grant No.62072046, 62172049), Knowledge Innovation Program of Wuhan-Basic Research and HUST-FiberHome Joint Research Center for Network Security.
Research Keywords
- Privacy
- Secu-rity
- Taint detection
- WeChat Mini-programs
Fingerprint
Dive into the research topics of 'Wemint: Tainting Sensitive Data Leaks in WeChat Mini-Programs'. Together they form a unique fingerprint.Cite this
- APA
- Author
- BIBTEX
- Harvard
- Standard
- RIS
- Vancouver