{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,17]],"date-time":"2026-03-17T20:24:03Z","timestamp":1773779043043,"version":"3.50.1"},"publisher-location":"New York, NY, USA","reference-count":38,"publisher":"ACM","license":[{"start":{"date-parts":[[2024,11,21]],"date-time":"2024-11-21T00:00:00Z","timestamp":1732147200000},"content-version":"vor","delay-in-days":372,"URL":"http:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"DOI":"10.13039\/100000001","name":"NSF (National Science Foundation)","doi-asserted-by":"publisher","award":["2330264"],"award-info":[{"award-number":["2330264"]}],"id":[{"id":"10.13039\/100000001","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2023,11,15]]},"DOI":"10.1145\/3576915.3616676","type":"proceedings-article","created":{"date-parts":[[2023,11,21]],"date-time":"2023-11-21T12:35:13Z","timestamp":1700570113000},"page":"2471-2485","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":12,"title":["Uncovering and Exploiting Hidden APIs in Mobile Super Apps"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-3310-4258","authenticated-orcid":false,"given":"Chao","family":"Wang","sequence":"first","affiliation":[{"name":"The Ohio State University, Columbus, OH, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-7786-0231","authenticated-orcid":false,"given":"Yue","family":"Zhang","sequence":"additional","affiliation":[{"name":"The Ohio State University, Columbus, OH, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-6527-5994","authenticated-orcid":false,"given":"Zhiqiang","family":"Lin","sequence":"additional","affiliation":[{"name":"The Ohio State University, Columbus, OH, USA"}]}],"member":"320","published-online":{"date-parts":[[2023,11,21]]},"reference":[{"key":"e_1_3_2_1_1_1","unstructured":"\"6 powerful wechat statistics you need to know in 2022 \" https:\/\/brewinteractive. com\/wechat-statistics\/ (Accessed on 08\/27\/2023)."},{"key":"e_1_3_2_1_2_1","unstructured":"\"Google play store: number of apps 2022 | statista \" https:\/\/www.statista.com\/ statistics\/266210\/number-of-available-applications-in-the-google-play-store\/ (Accessed on 08\/27\/2023)."},{"key":"e_1_3_2_1_3_1","unstructured":"\"Soot:a framework for analyzing and transforming java and android applications \" http:\/\/soot-oss.github.io\/soot\/ (Accessed on 08\/27\/2023)."},{"key":"e_1_3_2_1_4_1","unstructured":"\"Tencent app \" https:\/\/www.nbd.com.cn\/articles\/2022-12-01\/2576229.html."},{"key":"e_1_3_2_1_5_1","unstructured":"\"Tiktok - make your day \" https:\/\/www.tiktok.com\/ (Accessed on 08\/27\/2023)."},{"key":"e_1_3_2_1_6_1","unstructured":"\"Wechat mini programs showcases new capabilities to celebrate its third anniver-sary \" https:\/\/www.tencent.com\/en-us\/articles\/2200946.html."},{"key":"e_1_3_2_1_7_1","unstructured":"\"What are wechat mini-programs? a simple introduction - walkthechat \" https: \/\/walkthechat.com\/wechat-mini-programs-simple-introduction\/ (Accessed on 08\/27\/2023)."},{"key":"e_1_3_2_1_8_1","unstructured":"\"WeChat Chinese Documentation \" https:\/\/developers.weixin.qq.com\/miniprogram\/en\/dev\/api\/ 04 2022 (Accessed on 08\/27\/2023)."},{"key":"e_1_3_2_1_9_1","unstructured":"\"WeChat English Documentation \" https:\/\/developers.weixin.qq.com\/miniprogram\/en\/dev\/api\/ 04 2022 (Accessed on 08\/27\/2023)."},{"key":"e_1_3_2_1_10_1","first-page":"2782","volume":"15","author":"Alhanahnah M.","year":"2020","unstructured":"M. Alhanahnah, Q. Yan, H. Bagheri, H. Zhou, Y. Tsutano, W. Srisa-An, and X. Luo, \"Dina: Detecting hidden android inter-app communication in dynamic loaded code,\" IEEE Transactions on Information Forensics and Security, vol. 15, pp. 2782--2797, 2020.","journal-title":"\"Dina: Detecting hidden android inter-app communication in dynamic loaded code,\" IEEE Transactions on Information Forensics and Security"},{"key":"e_1_3_2_1_11_1","doi-asserted-by":"publisher","DOI":"10.1145\/2382196.2382222"},{"key":"e_1_3_2_1_12_1","volume-title":"Intrusions and Defenses (RAID 2023)","author":"Baskaran S.","year":"2023","unstructured":"S. Baskaran, L. Zhao, M. Mannan, and A. Youssef, \"Measuring the leakage and exploitability of authentication secrets in super-apps: The wechat case,\" in 26nd International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2023), 2023."},{"key":"e_1_3_2_1_13_1","first-page":"44","volume-title":"iris: Vetting private api abuse in ios applications,\" in Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security","author":"Deng Z.","year":"2015","unstructured":"Z. Deng, B. Saltaformaggio, X. Zhang, and D. Xu, \"iris: Vetting private api abuse in ios applications,\" in Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, 2015, pp. 44--56."},{"key":"e_1_3_2_1_14_1","first-page":"1953","volume-title":"The cookie hunter: Automated black-box auditing for web authentication and authorization flaws,\" in Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security","author":"Drakonakis K.","year":"2020","unstructured":"K. Drakonakis, S. Ioannidis, and J. Polakis, \"The cookie hunter: Automated black-box auditing for web authentication and authorization flaws,\" in Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security, 2020, pp. 1953--1970."},{"key":"e_1_3_2_1_15_1","first-page":"473","volume-title":"Davinci: Android app analysis beyond frida via dynamic system call instrumentation,\" in International Conference on Applied Cryptography and Network Security","author":"Druffel A.","year":"2020","unstructured":"A. Druffel and K. Heid, \"Davinci: Android app analysis beyond frida via dynamic system call instrumentation,\" in International Conference on Applied Cryptography and Network Security. Springer, 2020, pp. 473--489."},{"key":"e_1_3_2_1_16_1","first-page":"1598","volume-title":"Dissecting residual apis in custom android roms,\" in Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security","author":"El-Rewini Z.","year":"2021","unstructured":"Z. El-Rewini and Y. Aafer, \"Dissecting residual apis in custom android roms,\" in Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security, 2021, pp. 1598--1611."},{"key":"e_1_3_2_1_17_1","first-page":"272","volume-title":"Launching generic attacks on ios with approved third-party applications,\" in International Conference on Applied Cryptography and Network Security","author":"Han J.","year":"2013","unstructured":"J. Han, S. M. Kywe, Q. Yan, F. Bao, R. Deng, D. Gao, Y. Li, and J. Zhou, \"Launching generic attacks on ios with approved third-party applications,\" in International Conference on Applied Cryptography and Network Security. Springer, 2013, pp. 272--289."},{"key":"e_1_3_2_1_18_1","first-page":"889","volume-title":"IEEE","author":"Huang S.","year":"2019","unstructured":"S. Huang, J. Guo, S. Li, X. Li, Y. Qi, K. Chow, and J. Huang, \"Safecheck: safety enhancement of java unsafe api,\" in 2019 IEEE\/ACM 41st International Conference on Software Engineering (ICSE). IEEE, 2019, pp. 889--899."},{"key":"e_1_3_2_1_19_1","volume-title":"Security and Trust (PST). IEEE","author":"Kywe S. M.","year":"2016","unstructured":"S. M. Kywe, Y. Li, K. Petal, and M. Grace, \"Attacking android smartphone systems without permissions,\" in 2016 14th Annual Conference on Privacy, Security and Trust (PST). IEEE, 2016."},{"key":"e_1_3_2_1_20_1","first-page":"411","volume-title":"IEEE","author":"Li L.","year":"2016","unstructured":"L. Li, T. F. Bissyand\u00e9, Y. Le Traon, and J. Klein, \"Accessing inaccessible android apis: An empirical study,\" in 2016 IEEE International Conference on Software Maintenance and Evolution (ICSME). IEEE, 2016, pp. 411--422."},{"key":"e_1_3_2_1_21_1","volume-title":"The Java native interface: programmer's guide and specification","author":"Liang S.","year":"1999","unstructured":"S. Liang, The Java native interface: programmer's guide and specification. Addison-Wesley Professional, 1999."},{"key":"e_1_3_2_1_22_1","unstructured":"Listen \"How to use \"openUrl\"?\" https:\/\/developers.weixin.qq.com\/community\/ develop\/article\/doc\/00000efea1c4785424fc1dd4e51c13."},{"key":"e_1_3_2_1_23_1","first-page":"113","volume-title":"Automatic mediation of {Privacy-Sensitive} resource access in smartphone applications,\" in 22nd USENIX Security Symposium (USENIX Security 13)","author":"Livshits B.","year":"2013","unstructured":"B. Livshits and J. Jung, \"Automatic mediation of {Privacy-Sensitive} resource access in smartphone applications,\" in 22nd USENIX Security Symposium (USENIX Security 13), 2013, pp. 113--130."},{"key":"e_1_3_2_1_24_1","first-page":"569","volume-title":"Demystifying resource management risks in emerging mobile app-in-app ecosystems,\" in Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security","author":"Lu H.","year":"2020","unstructured":"H. Lu, L. Xing, Y. Xiao, Y. Zhang, X. Liao, X. Wang, and X. Wang, \"Demystifying resource management risks in emerging mobile app-in-app ecosystems,\" in Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security, 2020, pp. 569--585."},{"key":"e_1_3_2_1_25_1","unstructured":"MayBG \"How to use \"requestFacetoFacePayment\"?\" https:\/\/developers.weixin. qq.com\/community\/develop\/doc\/000cce1ebd80006b1e8f5185b56800."},{"key":"e_1_3_2_1_26_1","volume-title":"?Dark hazard: Learning-based, large-scale discovery of hidden sensitive operations in android apps.\" in Proceedings of the 2017 Annual Network and Distributed System Security Symposium (NDSS)","author":"Pan X.","year":"2017","unstructured":"X. Pan, X. Wang, Y. Duan, X. Wang, and H. Yin, ?Dark hazard: Learning-based, large-scale discovery of hidden sensitive operations in android apps.\" in Proceedings of the 2017 Annual Network and Distributed System Security Symposium (NDSS), San Diego, CA, 2017."},{"key":"e_1_3_2_1_27_1","first-page":"488","volume-title":"Jalangi: A selective record-replay and dynamic analysis framework for javascript,\" in Proceedings of the 2013 9th Joint Meeting on Foundations of Software Engineering","author":"Sen K.","year":"2013","unstructured":"K. Sen, S. Kalasapur, T. Brutch, and S. Gibbs, \"Jalangi: A selective record-replay and dynamic analysis framework for javascript,\" in Proceedings of the 2013 9th Joint Meeting on Foundations of Software Engineering, 2013, pp. 488--498."},{"key":"e_1_3_2_1_28_1","unstructured":"vuldb \"Cve-2021-40180 \" https:\/\/vuldb.com\/\"id.205138."},{"key":"e_1_3_2_1_29_1","unstructured":"W3C \"Miniapp standardization white paper \" https:\/\/w3c.github.io\/miniapp\/ white-paper\/ 2020."},{"key":"e_1_3_2_1_30_1","volume-title":"Taintmini: Detecting flow of sensitive data in mini-programs with static taint analysis,\" in 2023 IEEE\/ACM 45th International Conference on Software Engineering (ICSE)","author":"Wang C.","year":"2023","unstructured":"C. Wang, R. Ko, Y. Zhang, Y. Yang, and Z. Lin, \"Taintmini: Detecting flow of sensitive data in mini-programs with static taint analysis,\" in 2023 IEEE\/ACM 45th International Conference on Software Engineering (ICSE), 2023."},{"key":"e_1_3_2_1_31_1","volume-title":"One size does not fit all: Uncovering and exploiting cross platform discrepant apis in wechat,\" in 32nd USENIX Security Symposium (USENIX Security 23)","author":"Wang C.","year":"2023","unstructured":"C. Wang, Y. Zhang, and Z. Lin, \"One size does not fit all: Uncovering and exploiting cross platform discrepant apis in wechat,\" in 32nd USENIX Security Symposium (USENIX Security 23), 2023."},{"key":"e_1_3_2_1_32_1","first-page":"559","volume-title":"Jekyll on ios: When benign apps become evil,\" in 22nd {USENIX} Security Symposium ({USENIX} Security 13)","author":"Wang T.","year":"2013","unstructured":"T. Wang, K. Lu, L. Lu, S. Chung, and W. Lee, \"Jekyll on ios: When benign apps become evil,\" in 22nd {USENIX} Security Symposium ({USENIX} Security 13), 2013, pp. 559--572."},{"key":"e_1_3_2_1_33_1","first-page":"143","volume-title":"Precisely and scalably vetting javascript bridge in android hybrid apps,\" in International Symposium on Research in Attacks, Intrusions, and Defenses","author":"Yang G.","year":"2017","unstructured":"G. Yang, A. Mendoza, J. Zhang, and G. Gu, \"Precisely and scalably vetting javascript bridge in android hybrid apps,\" in International Symposium on Research in Attacks, Intrusions, and Defenses. Springer, 2017, pp. 143--166."},{"key":"e_1_3_2_1_34_1","volume-title":"Sok: Decoding the super app enigma: The security mechanisms, threats, and trade-offs in os-alike apps,\" arXiv preprint arXiv:2306.07495","author":"Yang Y.","year":"2023","unstructured":"Y. Yang, C. Wang, Y. Zhang, and Z. Lin, \"Sok: Decoding the super app enigma: The security mechanisms, threats, and trade-offs in os-alike apps,\" arXiv preprint arXiv:2306.07495, 2023."},{"key":"e_1_3_2_1_35_1","doi-asserted-by":"publisher","DOI":"10.1145\/3548606.3560597"},{"key":"e_1_3_2_1_36_1","volume-title":"Identity confusion in webview-based mobile app-in-app ecosystems,\" in 31st {USENIX} Security Symposium ({USENIX} Security 22)","author":"Zhang L.","year":"2022","unstructured":"L. Zhang, Z. Zhang, A. Liu, Y. Cao, X. Zhang, Y. Chen, Y. Zhang, G. Yang, and M. Yang, \"Identity confusion in webview-based mobile app-in-app ecosystems,\" in 31st {USENIX} Security Symposium ({USENIX} Security 22), 2022."},{"key":"e_1_3_2_1_37_1","volume-title":"A measurement study of wechat mini-apps,\" in Abstract Proceedings of the 2021 ACM SIGMETRICS\/International Conference on Measurement and Modeling of Computer Systems","author":"Zhang Y.","year":"2021","unstructured":"Y. Zhang, B. Turkistani, A. Y. Yang, C. Zuo, and Z. Lin, \"A measurement study of wechat mini-apps,\" in Abstract Proceedings of the 2021 ACM SIGMETRICS\/International Conference on Measurement and Modeling of Computer Systems, 2021."},{"key":"e_1_3_2_1_38_1","volume-title":"Don't leak your keys: Understanding, measuring, and exploiting the appsecret leaks in mini-programs.\" in Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security","author":"Zhang Y.","year":"2023","unstructured":"Y. Zhang, Y. Yang, and Z. Lin, \"Don't leak your keys: Understanding, measuring, and exploiting the appsecret leaks in mini-programs.\" in Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security, 2023."}],"event":{"name":"CCS '23: ACM SIGSAC Conference on Computer and Communications Security","location":"Copenhagen Denmark","acronym":"CCS '23","sponsor":["SIGSAC ACM Special Interest Group on Security, Audit, and Control"]},"container-title":["Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3576915.3616676","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3576915.3616676","content-type":"application\/pdf","content-version":"vor","intended-application":"syndication"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3576915.3616676","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,8,21]],"date-time":"2025-08-21T01:42:01Z","timestamp":1755740521000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3576915.3616676"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,11,15]]},"references-count":38,"alternative-id":["10.1145\/3576915.3616676","10.1145\/3576915"],"URL":"https:\/\/doi.org\/10.1145\/3576915.3616676","relation":{},"subject":[],"published":{"date-parts":[[2023,11,15]]},"assertion":[{"value":"2023-11-21","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}