{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,7,2]],"date-time":"2026-07-02T07:00:10Z","timestamp":1782975610518,"version":"3.54.5"},"reference-count":69,"publisher":"IEEE","license":[{"start":{"date-parts":[[2026,5,18]],"date-time":"2026-05-18T00:00:00Z","timestamp":1779062400000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-029"},{"start":{"date-parts":[[2026,5,18]],"date-time":"2026-05-18T00:00:00Z","timestamp":1779062400000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-037"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2026,5,18]]},"DOI":"10.1109\/sp63933.2026.00074","type":"proceedings-article","created":{"date-parts":[[2026,7,1]],"date-time":"2026-07-01T19:34:20Z","timestamp":1782934460000},"page":"943-960","source":"Crossref","is-referenced-by-count":0,"title":["Convenience at a Cost: the Security Risks of Template-Based Development in the App-in-App Ecosystem"],"prefix":"10.1109","author":[{"given":"Yizhe","family":"Shi","sequence":"first","affiliation":[{"name":"Fudan University"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Zhemin","family":"Yang","sequence":"additional","affiliation":[{"name":"Fudan University"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Yifan","family":"Yang","sequence":"additional","affiliation":[{"name":"Fudan University"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Yunteng","family":"Yang","sequence":"additional","affiliation":[{"name":"Fudan University"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Yifan","family":"Yang","sequence":"additional","affiliation":[{"name":"Fudan University"}],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"263","reference":[{"key":"ref1","article-title":"statista","year":"2024","journal-title":"Monthly active users of the leading apps in China in"},{"key":"ref2","article-title":"Wechat","year":"2025","journal-title":"WeChat Service Market"},{"key":"ref3","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2023.3329205"},{"key":"ref4","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-031-64954-7_22"},{"key":"ref5","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2018.00005"},{"key":"ref6","article-title":"WeChat","year":"2025","journal-title":"WeChat Mini-App Permission Set Description"},{"key":"ref7","volume-title":"OAuth 2.0.","year":"2025"},{"key":"ref8","volume-title":"Youzan.","year":"2025"},{"key":"ref9","volume-title":"Weimob.","year":"2025"},{"key":"ref10","volume-title":"SXL.","year":"2025"},{"key":"ref11","volume-title":"WeChat Mini-App Operation Standards","year":"2025"},{"key":"ref12","volume-title":"Mini-App Operation Guidelines","year":"2025"},{"key":"ref13","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2015.62"},{"key":"ref14","doi-asserted-by":"publisher","DOI":"10.1145\/3372297.3417291"},{"key":"ref15","article-title":"Continuous learning for android malware detection","volume-title":"32nd USENIX Security Symposium (USENIX Security)","author":"Chen","year":"2023"},{"key":"ref16","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2024.24035"},{"key":"ref17","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2025.230082"},{"key":"ref18","volume-title":"Dissecting the violative miniapp cases","year":"2025"},{"key":"ref19","doi-asserted-by":"publisher","DOI":"10.1145\/3605762.3624431"},{"key":"ref20","doi-asserted-by":"publisher","DOI":"10.1145\/3689941.3695773"},{"key":"ref21","volume-title":"Protection Regulation (GDPR)","year":"2025"},{"key":"ref22","volume-title":"California consumer privacy act (ccpa)","year":"2025"},{"key":"ref23","doi-asserted-by":"publisher","DOI":"10.1145\/3460120.3484536"},{"key":"ref24","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2023.3299945"},{"key":"ref25","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE48619.2023.00086"},{"key":"ref26","volume-title":"Mini Program configuration","year":"2025"},{"key":"ref27","volume-title":"App.json configuration","year":"2025"},{"key":"ref28","doi-asserted-by":"crossref","DOI":"10.1007\/978-3-319-21903-5_8","article-title":"Hierarchical clustering","volume-title":"Introduction to HPC with MPI for Data Science","author":"Nielsen","year":"2016"},{"key":"ref29","volume-title":"Largest Chinese companies by market capitalization","year":"2025"},{"key":"ref30","volume-title":"The 100 largest companies in the world by market capitalization in 2023","year":"2025"},{"key":"ref31","article-title":"VulSim: Leveraging similarity of \\{Multi-Dimensional\\} neighbor embeddings for vulnerability detection","volume-title":"33rd USENIX Security Symposium (USENIX Security)","author":"Shimmi","year":"2024"},{"key":"ref32","article-title":"Semantic cosine similarity","volume-title":"The 7th International Student Conference on Advanced Science and Technology ICAST","author":"Rahutomo","year":"2012"},{"key":"ref33","volume-title":"Jieba Text Segmentation","year":"2025"},{"key":"ref34","doi-asserted-by":"publisher","DOI":"10.1145\/3597926.3598079"},{"key":"ref35","article-title":"Understanding the security and privacy implications of online toxic content on refugees","volume-title":"33rd USENIX Security Symposium (USENIX Security)","author":"Arunasalam","year":"2024"},{"key":"ref36","doi-asserted-by":"publisher","DOI":"10.1145\/3658644.3670295"},{"key":"ref37","article-title":"Lalaine: Measuring and characterizing Non-Compliance of apple privacy labels","volume-title":"32nd USENIX Security Symposium (USENIX Security)","author":"Xiao","year":"2023"},{"key":"ref38","article-title":"Abandon all hope ye who enter here: A dynamic, longitudinal investigation of android\u2019s data safety section","volume-title":"33rd USENIX Security Symposium (USENIX Security)","author":"Arkalakis","year":"2024"},{"key":"ref39","article-title":"PolicyLint: Investigating internal privacy policy contradictions on google play","volume-title":"28th USENIX Security Symposium (USENIX Security 19)","author":"Andow","year":"2019"},{"key":"ref40","volume-title":"QPSoftware. Wechat mini program - all you need to know","year":"2025"},{"key":"ref41","doi-asserted-by":"publisher","DOI":"10.1145\/3460081"},{"key":"ref42","article-title":"LibScan: Towards more precise Third-Party library identification for android applications","volume-title":"32nd USENIX Security Symposium (USENIX Security 23)","author":"Wu","year":"2023"},{"key":"ref43","volume-title":"Taro","year":"2025"},{"key":"ref44","volume-title":"Uni-app.","year":"2025"},{"key":"ref45","doi-asserted-by":"publisher","DOI":"10.1145\/3372297.3417255"},{"key":"ref46","volume-title":"Mini-app was removed without specific reasons","year":"2025"},{"key":"ref47","article-title":"Fear the reaper: Characterization and fast detection of card skimmers","volume-title":"27th USENIX Security Symposium (USENIX Security)","author":"Scaife","year":"2018"},{"key":"ref48","doi-asserted-by":"publisher","DOI":"10.1145\/3576915.3616591"},{"key":"ref49","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2025.230273"},{"key":"ref50","volume-title":"Antmove","year":"2025"},{"key":"ref51","volume-title":"Wx2my","year":"2025"},{"key":"ref52","volume-title":"Wx2","year":"2025"},{"key":"ref53","doi-asserted-by":"publisher","DOI":"10.1145\/2976749.2978333"},{"key":"ref54","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE.2017.38"},{"key":"ref55","doi-asserted-by":"publisher","DOI":"10.1109\/SANER.2018.8330204"},{"key":"ref56","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE43902.2021.00150"},{"key":"ref57","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2012.16"},{"key":"ref58","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-04283-1_6"},{"key":"ref59","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2014.23247"},{"key":"ref60","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2017.23353"},{"key":"ref61","volume-title":"DCloud","year":"2025"},{"key":"ref62","doi-asserted-by":"publisher","DOI":"10.1145\/3548606.3560597"},{"key":"ref63","doi-asserted-by":"publisher","DOI":"10.1145\/3607199.3607236"},{"key":"ref64","article-title":"Identity confusion in \\{WebView-based\\} mobile app-in-app ecosystems","volume-title":"31st USENIX Security Symposium (USENIX Security)","author":"Zhang","year":"2022"},{"key":"ref65","article-title":"One size does not fit all: Uncovering and exploiting cross platform discrepant \\{APIs\\} in \\{WeChat\\}","volume-title":"32nd USENIX Security Symposium (USENIX Security)","author":"Wang","year":"2023"},{"key":"ref66","volume-title":"Rootfree attacks: Exploiting mobile platform\u2019s super apps from desktop","year":"2024"},{"key":"ref67","doi-asserted-by":"publisher","DOI":"10.1145\/3576915.3616676"},{"key":"ref68","author":"Zhang","year":"2023","journal-title":"Understanding privacy over-collection in wechat sub-app ecosystem"},{"key":"ref69","volume-title":"Traditional Chinese characters","year":"2025"}],"event":{"name":"2026 IEEE Symposium on Security and Privacy (SP)","location":"San Francisco, CA, USA","start":{"date-parts":[[2026,5,18]]},"end":{"date-parts":[[2026,5,21]]}},"container-title":["2026 IEEE Symposium on Security and Privacy (SP)"],"original-title":[],"link":[{"URL":"http:\/\/xplorestaging.ieee.org\/ielx8\/11573355\/11573356\/11573487.pdf?arnumber=11573487","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,7,2]],"date-time":"2026-07-02T05:27:38Z","timestamp":1782970058000},"score":1,"resource":{"primary":{"URL":"https:\/\/ieeexplore.ieee.org\/document\/11573487\/"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026,5,18]]},"references-count":69,"URL":"https:\/\/doi.org\/10.1109\/sp63933.2026.00074","relation":{},"subject":[],"published":{"date-parts":[[2026,5,18]]}}}