{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,17]],"date-time":"2026-02-17T13:01:13Z","timestamp":1771333273696,"version":"3.50.1"},"publisher-location":"New York, NY, USA","reference-count":57,"publisher":"ACM","license":[{"start":{"date-parts":[[2024,12,2]],"date-time":"2024-12-02T00:00:00Z","timestamp":1733097600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"name":"National Science Foundation (NSF)","award":["2239605, 2228616, 2114920, 2228617, 2120369, 2129164, 2114982"],"award-info":[{"award-number":["2239605, 2228616, 2114920, 2228617, 2120369, 2129164, 2114982"]}]},{"name":"Office of Naval Research Grant","award":["N000142212111"],"award-info":[{"award-number":["N000142212111"]}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2024,12,2]]},"DOI":"10.1145\/3658644.3690294","type":"proceedings-article","created":{"date-parts":[[2024,12,9]],"date-time":"2024-12-09T12:19:20Z","timestamp":1733746760000},"page":"1626-1640","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":3,"title":["A First Look at Security and Privacy Risks in the RapidAPI Ecosystem"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-5264-7573","authenticated-orcid":false,"given":"Song","family":"Liao","sequence":"first","affiliation":[{"name":"Texas Tech University, Lubbock, TX, USA"}]},{"ORCID":"https:\/\/orcid.org\/0009-0004-4819-5406","authenticated-orcid":false,"given":"Long","family":"Cheng","sequence":"additional","affiliation":[{"name":"Clemson University, Clemson, SC, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-9082-3208","authenticated-orcid":false,"given":"Xiapu","family":"Luo","sequence":"additional","affiliation":[{"name":"The Hong Kong Polytechnic University, Hong Kong, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-2698-1559","authenticated-orcid":false,"given":"Zheng","family":"Song","sequence":"additional","affiliation":[{"name":"University of Michigan-Dearborn, Dearborn, MI, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-5224-9970","authenticated-orcid":false,"given":"Haipeng","family":"Cai","sequence":"additional","affiliation":[{"name":"Washington State University, Pullman, WA, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-8969-2792","authenticated-orcid":false,"given":"Danfeng (Daphne)","family":"Yao","sequence":"additional","affiliation":[{"name":"Virginia Tech, Blacksburg, VA, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-8710-247X","authenticated-orcid":false,"given":"Hongxin","family":"Hu","sequence":"additional","affiliation":[{"name":"University at Buffalo, Buffalo, NY, USA"}]}],"member":"320","published-online":{"date-parts":[[2024,12,9]]},"reference":[{"key":"e_1_3_2_1_1_1","unstructured":"Alexa Policy Requirements. https:\/\/developer.amazon.com\/frFR\/docs\/alexa\/custom-skills\/policy-requirements-for-an-alexa-skill.html."},{"key":"e_1_3_2_1_2_1","unstructured":"apideck. https:\/\/www.apideck.com\/."},{"key":"e_1_3_2_1_3_1","unstructured":"Apidog. https:\/\/apidog.com\/."},{"key":"e_1_3_2_1_4_1","unstructured":"Apktool. https:\/\/apktool.org\/."},{"key":"e_1_3_2_1_5_1","unstructured":"App Store Review Guidelines. https:\/\/developer.apple.com\/appstore\/review\/guidelines\/."},{"key":"e_1_3_2_1_6_1","unstructured":"California Consumer Privacy Act (CCPA). https:\/\/oag.ca.gov\/privacy\/ccpa."},{"key":"e_1_3_2_1_7_1","unstructured":"California Online Privacy Protection Act (CalOPPA). https:\/\/consumercal.org\/about-cfc\/cfc-education-foundation\/californiaonline-privacy-protection-act-caloppa-3\/."},{"key":"e_1_3_2_1_8_1","unstructured":"Childrens Online Privacy Protection Rule (COPPA). https:\/\/www.ftc.gov\/legallibrary\/browse\/rules\/childrens-online-privacy-protection-rule-coppa."},{"key":"e_1_3_2_1_9_1","unstructured":"Chrome Program Policies. https:\/\/developer.chrome.com\/docs\/webstore \/program-policies\/#: :text=Extensions"},{"key":"e_1_3_2_1_10_1","unstructured":"General Data Protection Regulation. https:\/\/gdpr-info.eu."},{"key":"e_1_3_2_1_11_1","unstructured":"Google fined 50 million for GDPR violation in France. https:\/\/www.theverge.com\/2019\/1\/21\/18191591\/google-gdpr-fine-50-millioneuros-data-consent-cnil."},{"key":"e_1_3_2_1_12_1","unstructured":"Google Play Developer Policy Center. https:\/\/play.google.com\/about\/developercontent-policy\/."},{"key":"e_1_3_2_1_13_1","unstructured":"Health Insurance Portability and Accountability Act of 1996 (HIPAA). https:\/\/www.cdc.gov\/phlp\/publications\/topic\/hipaa.html."},{"key":"e_1_3_2_1_14_1","unstructured":"Open API Market Size is projected to reach USD 13.21 Billion by 2030 growing at a CAGR of 23.83%: Straits Research. https:\/\/www.globenewswire.com\/en\/newsrelease\/2022\/08\/18\/2501038\/0\/en\/Open-API-Market-Size-is-projected-toreach-USD-13--21-Billion-by-2030-growing-at-a-CAGR-of-23--83-StraitsResearch.html."},{"key":"e_1_3_2_1_15_1","unstructured":"OpenAPIHub. https:\/\/www.openapihub.com\/en-us\/."},{"key":"e_1_3_2_1_16_1","unstructured":"ProgrammableWeb. https:\/\/www.mulesoft.com\/ programmableweb."},{"key":"e_1_3_2_1_17_1","unstructured":"Rapid. https:\/\/rapidapi.com\/."},{"key":"e_1_3_2_1_18_1","unstructured":"URLCrazy. https:\/\/www.morningstarsecurity.com\/ research\/urlcrazy."},{"key":"e_1_3_2_1_19_1","doi-asserted-by":"publisher","DOI":"10.1145\/3548606.3560685"},{"key":"e_1_3_2_1_20_1","doi-asserted-by":"publisher","DOI":"10.1145\/2901739.2903508"},{"key":"e_1_3_2_1_21_1","first-page":"985","volume-title":"29th USENIX Security Symposium (USENIX Security 20)","author":"Andow Benjamin","year":"2020","unstructured":"Benjamin Andow, Samin Yaseer Mahmud, Justin Whitaker, William Enck, Bradley Reaves, Kapil Singh, and Serge Egelman. Actions speak louder than words:{EntitySensitive} privacy policy and data flow analysis with {PoliCheck}. In 29th USENIX Security Symposium (USENIX Security 20), pages 985--1002, 2020."},{"key":"e_1_3_2_1_22_1","first-page":"131","volume-title":"22nd USENIX Security Symposium (USENIX Security 13)","author":"Bugiel Sven","year":"2013","unstructured":"Sven Bugiel, Stephen Heuser, and Ahmad-Reza Sadeghi. Flexible and fine-grained mandatory access control on android for diverse security and privacy policies. In 22nd USENIX Security Symposium (USENIX Security 13), pages 131--146, 2013."},{"key":"e_1_3_2_1_23_1","first-page":"97","volume-title":"21st USENIX Security Symposium (USENIX Security 12)","author":"Carlini Nicholas","year":"2012","unstructured":"Nicholas Carlini, Adrienne Porter Felt, and David Wagner. An evaluation of the google chrome extension security architecture. In 21st USENIX Security Symposium (USENIX Security 12), pages 97--111, 2012."},{"key":"e_1_3_2_1_24_1","doi-asserted-by":"publisher","DOI":"10.1145\/3372297.3423339"},{"key":"e_1_3_2_1_25_1","doi-asserted-by":"publisher","DOI":"10.1145\/2187836.2187879"},{"key":"e_1_3_2_1_26_1","volume-title":"Self-reflective, hierarchical agents for large-scale api calls. arXiv preprint arXiv:2402.04253","author":"Du Yu","year":"2024","unstructured":"Yu Du, Fangyun Wei, and Hongyang Zhang. Anytool: Self-reflective, hierarchical agents for large-scale api calls. arXiv preprint arXiv:2402.04253, 2024."},{"key":"e_1_3_2_1_27_1","first-page":"177","volume-title":"NDSS","author":"Egele Manuel","year":"2011","unstructured":"Manuel Egele, Christopher Kruegel, Engin Kirda, and Giovanni Vigna. Pios: Detecting privacy leaks in ios applications. In NDSS, pages 177--183, 2011."},{"key":"e_1_3_2_1_28_1","doi-asserted-by":"publisher","DOI":"10.5555\/932295"},{"key":"e_1_3_2_1_29_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2015.16"},{"key":"e_1_3_2_1_30_1","first-page":"2507","volume-title":"30th USENIX Security Symposium (USENIX Security 21)","author":"Laperdrix Pierre","year":"2021","unstructured":"Pierre Laperdrix, Oleksii Starov, Quan Chen, Alexandros Kapravelos, and Nick Nikiforakis. Fingerprinting in style: Detecting browser extensions via injected style sheets. In 30th USENIX Security Symposium (USENIX Security 21), pages 2507--2524, 2021."},{"key":"e_1_3_2_1_31_1","doi-asserted-by":"publisher","DOI":"10.1109\/SPW.2019.00043"},{"key":"e_1_3_2_1_32_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2021.23111"},{"key":"e_1_3_2_1_33_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP40001.2021.00090"},{"key":"e_1_3_2_1_34_1","doi-asserted-by":"publisher","DOI":"10.1145\/3589334.3645409"},{"key":"e_1_3_2_1_35_1","doi-asserted-by":"publisher","DOI":"10.1145\/3576915.3616650"},{"key":"e_1_3_2_1_36_1","doi-asserted-by":"publisher","DOI":"10.1145\/3427228.3427250"},{"key":"e_1_3_2_1_37_1","doi-asserted-by":"publisher","DOI":"10.1145\/3551349.3560436"},{"key":"e_1_3_2_1_38_1","first-page":"35","volume-title":"31st USENIX Security Symposium (USENIX Security 22)","author":"Liu Guannan","year":"2022","unstructured":"Guannan Liu, Xing Gao, Haining Wang, and Kun Sun. Exploring the unchartered space of container registry typosquatting. In 31st USENIX Security Symposium (USENIX Security 22), pages 35--51, 2022."},{"key":"e_1_3_2_1_39_1","doi-asserted-by":"publisher","DOI":"10.1145\/3372297.3417255"},{"key":"e_1_3_2_1_40_1","doi-asserted-by":"publisher","DOI":"10.6028\/NIST.SP.800-122"},{"key":"e_1_3_2_1_41_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2019.23418"},{"key":"e_1_3_2_1_42_1","first-page":"3439","volume-title":"32nd USENIX Security Symposium (USENIX Security 23)","author":"Neupane Shradha","year":"2023","unstructured":"Shradha Neupane, Grant Holmes, Elizabeth Wyss, Drew Davidson, and Lorenzo De Carli. Beyond typosquatting: An in-depth look at package confusion. In 32nd USENIX Security Symposium (USENIX Security 23), pages 3439--3456, 2023."},{"key":"e_1_3_2_1_43_1","doi-asserted-by":"publisher","DOI":"10.1109\/INCET54531.2022.9824767"},{"key":"e_1_3_2_1_44_1","volume-title":"et al. Toolllm: Facilitating large language models to master 16000 real-world apis. arXiv preprint arXiv:2307.16789","author":"Qin Yujia","year":"2023","unstructured":"Yujia Qin, Shihao Liang, Yining Ye, Kunlun Zhu, Lan Yan, Yaxi Lu, Yankai Lin, Xin Cong, Xiangru Tang, Bill Qian, et al. Toolllm: Facilitating large language models to master 16000 real-world apis. arXiv preprint arXiv:2307.16789, 2023."},{"key":"e_1_3_2_1_45_1","first-page":"479","volume-title":"28th USENIX Security Symposium (USENIX Security 19)","author":"Quiring Erwin","year":"2019","unstructured":"Erwin Quiring, Alwin Maier, and Konrad Rieck. Misleading authorship attribution of source code using adversarial learning. In 28th USENIX Security Symposium (USENIX Security 19), pages 479--496, 2019."},{"key":"e_1_3_2_1_46_1","doi-asserted-by":"publisher","DOI":"10.1145\/3324884.3416551"},{"key":"e_1_3_2_1_47_1","doi-asserted-by":"publisher","DOI":"10.1002\/ett.3773"},{"key":"e_1_3_2_1_48_1","doi-asserted-by":"publisher","DOI":"10.1109\/MSR.2015.48"},{"key":"e_1_3_2_1_49_1","doi-asserted-by":"publisher","DOI":"10.1109\/MSR.2019.00053"},{"key":"e_1_3_2_1_50_1","first-page":"191","volume-title":"23rd USENIX Security Symposium (USENIX Security 14)","author":"Szurdi Janos","year":"2014","unstructured":"Janos Szurdi, Balazs Kocso, Gabor Cseh, Jonathan Spring, Mark Felegyhazi, and Chris Kanich. The long {?Taile?} of typosquatting domain names. In 23rd USENIX Security Symposium (USENIX Security 14), pages 191--206, 2014."},{"key":"e_1_3_2_1_51_1","first-page":"3789","volume-title":"Anastasia Shuba, and Athina Markopoulou. {OVRseen}: Auditing network traffic and privacy policies in oculus {VR}. In 31st USENIX security symposium (USENIX security 22)","author":"Trimananda Rahmadi","year":"2022","unstructured":"Rahmadi Trimananda, Hieu Le, Hao Cui, Janice Tran Ho, Anastasia Shuba, and Athina Markopoulou. {OVRseen}: Auditing network traffic and privacy policies in oculus {VR}. In 31st USENIX security symposium (USENIX security 22), pages 3789--3806, 2022."},{"key":"e_1_3_2_1_52_1","first-page":"1091","volume-title":"32nd USENIX Security Symposium (USENIX Security 23)","author":"Xiao Yue","year":"2023","unstructured":"Yue Xiao, Zhengyi Li, Yue Qin, Xiaolong Bai, Jiale Guan, Xiaojing Liao, and Luyi Xing. Lalaine: Measuring and characterizing {Non-Compliance} of apple privacy labels. In 32nd USENIX Security Symposium (USENIX Security 23), pages 1091--1108, 2023."},{"key":"e_1_3_2_1_53_1","doi-asserted-by":"publisher","DOI":"10.1145\/3308558.3313591"},{"key":"e_1_3_2_1_54_1","volume-title":"31st USENIX Security Symposium (USENIX Security 22)","author":"Young Jeffrey","year":"2022","unstructured":"Jeffrey Young, Song Liao, Long Cheng, Hongxin Hu, and Huixing Deng. {SkillDetective}: Automated {Policy-Violation} detection of voice assistant applications in the wild. In 31st USENIX Security Symposium (USENIX Security 22), 2022."},{"key":"e_1_3_2_1_55_1","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2022.3150302"},{"key":"e_1_3_2_1_56_1","volume-title":"Dont leak your keys: Understanding, measuring, and exploiting the appsecret leaks in mini-programs. arXiv preprint arXiv:2306.08151","author":"Zhang Yue","year":"2023","unstructured":"Yue Zhang, Yuqing Yang, and Zhiqiang Lin. Dont leak your keys: Understanding, measuring, and exploiting the appsecret leaks in mini-programs. arXiv preprint arXiv:2306.08151, 2023."},{"key":"e_1_3_2_1_57_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00009"}],"event":{"name":"CCS '24: ACM SIGSAC Conference on Computer and Communications Security","location":"Salt Lake City UT USA","acronym":"CCS '24","sponsor":["SIGSAC ACM Special Interest Group on Security, Audit, and Control"]},"container-title":["Proceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3658644.3690294","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3658644.3690294","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,8,22]],"date-time":"2025-08-22T05:57:21Z","timestamp":1755842241000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3658644.3690294"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024,12,2]]},"references-count":57,"alternative-id":["10.1145\/3658644.3690294","10.1145\/3658644"],"URL":"https:\/\/doi.org\/10.1145\/3658644.3690294","relation":{},"subject":[],"published":{"date-parts":[[2024,12,2]]},"assertion":[{"value":"2024-12-09","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}