{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,15]],"date-time":"2026-03-15T05:21:26Z","timestamp":1773552086846,"version":"3.50.1"},"reference-count":63,"publisher":"Association for Computing Machinery (ACM)","issue":"6","funder":[{"name":"Key R&D Program of Hubei Province","award":["2023BAB017, 2023BAB079"],"award-info":[{"award-number":["2023BAB017, 2023BAB079"]}]},{"DOI":"10.13039\/501100001809","name":"National Natural Science Foundation","doi-asserted-by":"crossref","award":["62072046, 62302181, 62302176"],"award-info":[{"award-number":["62072046, 62302181, 62302176"]}],"id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"crossref"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Softw. Eng. Methodol."],"published-print":{"date-parts":[[2025,7,31]]},"abstract":"\n The advent of MiniApps, operating within larger SuperApps, has revolutionized user experiences by offering a wide range of services without the need for individual app downloads. However, this convenience has raised significant privacy concerns, as these MiniApps often require access to sensitive data, potentially leading to privacy violations. Despite existing privacy regulations and platform guidelines, there is a lack of effective mechanisms to safeguard user privacy fully. To address this critical gap, we introduce\n MiniScope<\/jats:sc>\n , a novel two-phase hybrid analysis approach, specifically designed for the MiniApp environment. This approach overcomes the limitations of existing static analysis techniques by incorporating UI transition states analysis, cross-package callback control flow resolution, and automated iterative UI exploration. This allows for a comprehensive understanding of MiniApps\u2019 privacy practices, addressing the unique challenges of sub-package loading and event-driven callbacks. Our empirical evaluation of over 120K MiniApps using\n MiniScope<\/jats:sc>\n demonstrates its effectiveness in identifying privacy inconsistencies. The results reveal significant issues, with 5.7% of MiniApps over-collecting private data and 33.4% overclaiming data collection. We have responsibly disclosed our findings to 2,282 developers, receiving 44 acknowledgments. These findings emphasize the urgent need for more precise privacy monitoring systems and highlight the responsibility of SuperApp operators to enforce stricter privacy measures.\n <\/jats:p>","DOI":"10.1145\/3709351","type":"journal-article","created":{"date-parts":[[2024,12,21]],"date-time":"2024-12-21T09:17:51Z","timestamp":1734772671000},"page":"1-29","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":3,"title":["MiniScope<\/scp>\n : Automated UI Exploration and Privacy Inconsistency Detection of MiniApps\n via<\/i>\n Two-phase Iterative Hybrid Analysis"],"prefix":"10.1145","volume":"34","author":[{"ORCID":"https:\/\/orcid.org\/0000-0003-3818-3343","authenticated-orcid":false,"given":"Shenao","family":"Wang","sequence":"first","affiliation":[{"name":"Hubei Key Laboratory of Distributed System Security, Hubei Engineering Research Center on Big Data Security, School of Cyber Science and Engineering, Huazhong University of Science and Technology, Wuhan, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-4382-0757","authenticated-orcid":false,"given":"Yuekang","family":"Li","sequence":"additional","affiliation":[{"name":"University of New South Wales, Sydney, Australia"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-3977-6573","authenticated-orcid":false,"given":"Kailong","family":"Wang","sequence":"additional","affiliation":[{"name":"Hubei Key Laboratory of Distributed System Security, Hubei Engineering Research Center on Big Data Security, School of Cyber Science and Engineering, Huazhong University of Science and Technology, Wuhan, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-4978-127X","authenticated-orcid":false,"given":"Yi","family":"Liu","sequence":"additional","affiliation":[{"name":"Nanyang Technological University, Singapore, Singapore"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-8310-7169","authenticated-orcid":false,"given":"Hui","family":"Li","sequence":"additional","affiliation":[{"name":"School of Cyber Engineering, Xidian University, Xian, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-7300-9215","authenticated-orcid":false,"given":"Yang","family":"Liu","sequence":"additional","affiliation":[{"name":"Nanyang Technological University, Singapore, Singapore"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-1100-8633","authenticated-orcid":false,"given":"Haoyu","family":"Wang","sequence":"additional","affiliation":[{"name":"Hubei Key Laboratory of Distributed System Security, Hubei Engineering Research Center on Big Data Security, School of Cyber Science and Engineering, Huazhong University of Science and Technology, Wuhan, China"}]}],"member":"320","published-online":{"date-parts":[[2025,7]]},"reference":[{"key":"e_1_3_2_2_2","unstructured":"PPC. 2022. Act on the protection of personal information. Retrieved from https:\/\/www.ppc.go.jp\/"},{"key":"e_1_3_2_3_2","unstructured":"Rob Bonta. 2022. California consumer privacy Act. Retrieved from https:\/\/oag.ca.gov\/privacy\/ccpa"},{"key":"e_1_3_2_4_2","unstructured":"Government of Canada. 2022. Consumer privacy protection Act. Retrieved from https:\/\/ised-isde.canada.ca\/site\/innovation-better-canada\/en\/consumer-privacy-protection-act"},{"key":"e_1_3_2_5_2","unstructured":"WECHATWiki. 2022. ECommerce SaaS solution by WeChat: A complete guide. Retrieved from https:\/\/wechatwiki.com\/wechat-resources\/wechat-mini-shop-ecommerce-solution\/"},{"key":"e_1_3_2_6_2","unstructured":"European Commission. 2022. General data protection regulation. Retrieved from https:\/\/commission.europa.eu\/law\/law-topic\/data-protection_en"},{"key":"e_1_3_2_7_2","unstructured":"CPO Magazine. 2023. First Major analysis of WeChat ecosystem network requests finds privacy gaps undisclosed data sharing. Retrieved from https:\/\/www.cpomagazine.com\/data-privacy\/first-major-analysis-of-wechat-ecosystem-network-requests-finds-privacy-gaps-undisclosed-data-sharing\/"},{"key":"e_1_3_2_8_2","unstructured":"The Citizen Lab. 2023. Should We chat? Privacy in the WeChat ecosystem. Retrieved from https:\/\/citizenlab.ca\/2023\/06\/privacy-in-the-wechat-ecosystem-full-report\/"},{"key":"e_1_3_2_9_2","unstructured":"WeChat. 2023. WeChat API Documentation. Retrieved from https:\/\/developers.weixin.qq.com\/miniprogram\/en\/dev\/api\/"},{"key":"e_1_3_2_10_2","unstructured":"Wechat.com. 2023. WECHAT PRIVACY POLICY. Retrieved from https:\/\/www.wechat.com\/en\/privacy_policy.html"},{"key":"e_1_3_2_11_2","first-page":"585","volume-title":"28th USENIX Security Symposium (USENIX Security \u201919)","author":"Andow Benjamin","year":"2019","unstructured":"Benjamin Andow, Samin Yaseer Mahmud, Wenyu Wang, Justin Whitaker, William Enck, Bradley Reaves, Kapil Singh, and Tao Xie. 2019. PolicyLint: Investigating internal privacy policy contradictions on Google play. In 28th USENIX Security Symposium (USENIX Security \u201919). Nadia Heninger and Patrick Traynor (Eds.), USENIX Association, 585\u2013602. Retrieved from https:\/\/www.usenix.org\/conference\/usenixsecurity19\/presentation\/andow"},{"key":"e_1_3_2_12_2","unstructured":"Benjamin Andow Samin Yaseer Mahmud Justin Whitaker William Enck Bradley Reaves Kapil Singh and Serge Egelman. 2020. Actions speak louder than words: Entity-sensitive privacy policy and data flow analysis with PoliCheck. In 29th USENIX Security Symposium (USENIX Security \u201920). Srdjan Capkun and Franziska Roesner (Eds.) USENIX Association 985\u20131002. Retrieved from https:\/\/www.usenix.org\/conference\/usenixsecurity20\/presentation\/andow"},{"key":"e_1_3_2_13_2","unstructured":"Anonymous. 2023. Online documentation. Retrieved from https:\/\/docs.google.com\/spreadsheets\/d\/1l3P7D9kIRlDiR97ndGaa8xMLXooshIaQa0peYK2kV78\/edit?usp=sharing"},{"key":"e_1_3_2_14_2","unstructured":"appium. 2023. appium. Retrieved from https:\/\/github.com\/appium\/appium"},{"key":"e_1_3_2_15_2","doi-asserted-by":"publisher","DOI":"10.1145\/2594291.2594299"},{"key":"e_1_3_2_16_2","doi-asserted-by":"crossref","unstructured":"Supraja Baskaran Lianying Zhao Mohammad Mannan and Amr M. Youssef. 2023. Measuring the leakage and exploitability of authentication secrets in super-Apps: The WeChat case. arXiv:2307.09317. Retrieved from https:\/\/arxiv.org\/abs\/2307.09317","DOI":"10.1145\/3607199.3607236"},{"key":"e_1_3_2_17_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP46215.2023.10179338"},{"key":"e_1_3_2_18_2","doi-asserted-by":"publisher","DOI":"10.1145\/3460120.3484536"},{"key":"e_1_3_2_19_2","doi-asserted-by":"publisher","DOI":"10.1145\/3236024.3236045"},{"key":"e_1_3_2_20_2","first-page":"393","volume-title":"9th USENIX Symposium on Operating Systems Design and Implementation (OSDI \u201910)","author":"Enck William","year":"2010","unstructured":"William Enck, Peter Gilbert, Byung-Gon Chun, Landon P. Cox, Jaeyeon Jung, Patrick D. McDaniel, and Anmol Sheth. 2010. TaintDroid: An information-flow tracking system for realtime privacy monitoring on smartphones. In 9th USENIX Symposium on Operating Systems Design and Implementation (OSDI \u201910). Remzi H. Arpaci-Dusseau and Brad Chen (Eds.), USENIX Association, 393\u2013407. Retrieved from http:\/\/www.usenix.org\/events\/osdi10\/tech\/full_papers\/Enck.pdf"},{"key":"e_1_3_2_21_2","unstructured":"frida. 2023. frida. Retrieved from https:\/\/github.com\/frida\/frida"},{"key":"e_1_3_2_22_2","doi-asserted-by":"publisher","DOI":"10.1088\/1742-6596\/1087\/6\/062040"},{"key":"e_1_3_2_23_2","unstructured":"Hamza Harkous Kassem Fawaz R\u00e9mi Lebret Florian Schaub Kang G. Shin and Karl Aberer. 2018. Polisis: Automated analysis and presentation of privacy policies using deep learning. arXiv:1802.02561 Retrieved from http:\/\/arxiv.org\/abs\/1802.02561"},{"key":"e_1_3_2_24_2","doi-asserted-by":"publisher","DOI":"10.5815\/ijcnis.2018.06.01"},{"key":"e_1_3_2_25_2","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2023.3299945"},{"key":"e_1_3_2_26_2","doi-asserted-by":"publisher","DOI":"10.1145\/3551349.3560436"},{"key":"e_1_3_2_27_2","doi-asserted-by":"publisher","DOI":"10.1145\/3510003.3510037"},{"key":"e_1_3_2_28_2","doi-asserted-by":"publisher","DOI":"10.1145\/3324884.3421842"},{"key":"e_1_3_2_29_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE48619.2023.00168"},{"key":"e_1_3_2_30_2","doi-asserted-by":"publisher","DOI":"10.1145\/3372297.3417255"},{"key":"e_1_3_2_31_2","doi-asserted-by":"publisher","DOI":"10.1109\/ASE56229.2023.00151"},{"key":"e_1_3_2_32_2","first-page":"993","volume-title":"24th USENIX Security Symposium (USENIX Security \u201915)","author":"Nan Yuhong","year":"2015","unstructured":"Yuhong Nan, Min Yang, Zhemin Yang, Shunfan Zhou, Guofei Gu, and Xiaofeng Wang. 2015. UIPicker: User-input privacy identification in mobile applications. In 24th USENIX Security Symposium (USENIX Security \u201915). Jaeyeon Jung and Thorsten Holz (Eds.), USENIX Association, 993\u20131008. Retrieved from https:\/\/www.usenix.org\/conference\/usenixsecurity15\/technical-sessions\/presentation\/nan"},{"key":"e_1_3_2_33_2","unstructured":"r3x5ur. 2023. unveilr. https:\/\/github.com\/r3x5ur\/unveilr"},{"key":"e_1_3_2_34_2","doi-asserted-by":"publisher","DOI":"10.1108\/APJML-08-2020-0621"},{"key":"e_1_3_2_35_2","unstructured":"security-pride. 2023. MiniScope. Retrieved from https:\/\/github.com\/security-pride\/MiniScope"},{"key":"e_1_3_2_36_2","unstructured":"sensepost. 2023. objection. Retrieved from https:\/\/github.com\/sensepost\/objection"},{"key":"e_1_3_2_37_2","doi-asserted-by":"publisher","DOI":"10.1145\/2884781.2884855"},{"key":"e_1_3_2_38_2","first-page":"3789","volume-title":"31st USENIX Security Symposium (USENIX Security \u201922)","author":"Trimananda Rahmadi","year":"2022","unstructured":"Rahmadi Trimananda, Hieu Le, Hao Cui, Janice Tran Ho, Anastasia Shuba, and Athina Markopoulou. 2022. OVRseen: Auditing network traffic and privacy policies in oculus VR. In 31st USENIX Security Symposium (USENIX Security \u201922). Kevin R. B. Butler and Kurt Thomas (Eds.), USENIX Association, 3789\u20133806. Retrieved from https:\/\/www.usenix.org\/conference\/usenixsecurity22\/presentation\/trimananda"},{"key":"e_1_3_2_39_2","unstructured":"W3C. 2023. MiniApp standardization White paper. Retrieved from https:\/\/www.w3.org\/TR\/mini-app-white-paper"},{"key":"e_1_3_2_40_2","unstructured":"W3C. 2023. MiniApp Subpackaging. Retrieved from https:\/\/www.w3.org\/TR\/mini-app-white-paper\/#subpackaging"},{"key":"e_1_3_2_41_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE48619.2023.00086"},{"key":"e_1_3_2_42_2","doi-asserted-by":"crossref","unstructured":"Chao Wang Yue Zhang and Zhiqiang Lin. 2023. Uncovering and exploiting hidden APIs in mobile super apps. arXiv:2306.08134. Retrieved from https:\/\/arxiv.org\/abs\/2306.08134","DOI":"10.1145\/3576915.3616676"},{"key":"e_1_3_2_43_2","doi-asserted-by":"publisher","DOI":"10.1145\/3605762.3624435"},{"key":"e_1_3_2_44_2","doi-asserted-by":"publisher","DOI":"10.1145\/3510003.3510114"},{"key":"e_1_3_2_45_2","doi-asserted-by":"publisher","DOI":"10.1145\/3180155.3180196"},{"key":"e_1_3_2_46_2","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2024.3479288"},{"key":"e_1_3_2_47_2","doi-asserted-by":"publisher","DOI":"10.1145\/3691620.3695534"},{"key":"e_1_3_2_48_2","unstructured":"xdmjun. 2023. wxappUnpacker. https:\/\/github.com\/xdmjun\/wxappUnpacker"},{"key":"e_1_3_2_49_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2014.44"},{"key":"e_1_3_2_50_2","doi-asserted-by":"publisher","DOI":"10.1145\/3605762.3624429"},{"key":"e_1_3_2_51_2","doi-asserted-by":"publisher","DOI":"10.1007\/S10515-018-0237-6"},{"key":"e_1_3_2_52_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE.2015.31"},{"key":"e_1_3_2_53_2","doi-asserted-by":"publisher","DOI":"10.1145\/3533767.3534221"},{"key":"e_1_3_2_54_2","unstructured":"Yuqing Yang Chao Wang Yue Zhang and Zhiqiang Lin. 2023. SoK: Decoding the super app enigma: The security mechanisms threats and trade-offs in OS-alike apps. arXiv:2306.07495. Retrieved from https:\/\/arxiv.org\/abs\/2306.07495"},{"key":"e_1_3_2_55_2","doi-asserted-by":"publisher","DOI":"10.1145\/3548606.3560597"},{"key":"e_1_3_2_56_2","unstructured":"Jianyi Zhang Leixin Yang Yuyang Han Zhi Sun and Zixiao Xiang. 2022. A small leak will sink many ships: Vulnerabilities related to mini programs permissions. arXiv:2205.15202. Retrieved from https:\/\/arxiv.org\/abs\/2205.15202"},{"key":"e_1_3_2_57_2","first-page":"1597","volume-title":"31st USENIX Security Symposium (USENIX Security \u201922)","author":"Zhang Lei","year":"2022","unstructured":"Lei Zhang, Zhibo Zhang, Ancong Liu, Yinzhi Cao, Xiaohan Zhang, Yanjun Chen, Yuan Zhang, Guangliang Yang, and Min Yang. 2022. Identity confusion in WebView-based mobile app-in-app ecosystems. In 31st USENIX Security Symposium (USENIX Security \u201922). Kevin R. B. Butler and Kurt Thomas (Eds.), USENIX Association, 1597\u20131613. Retrieved from https:\/\/www.usenix.org\/conference\/usenixsecurity22\/presentation\/zhang-lei"},{"key":"e_1_3_2_58_2","unstructured":"Xiaohan Zhang Yang Wang Xin Zhang Ziqi Huang Lei Zhang and Min Yang. 2023. Understanding privacy over-collection in WeChat sub-app ecosystem. arXiv:2306.08391. Retrieved from https:\/\/arxiv.org\/abs\/2306.08391"},{"key":"e_1_3_2_59_2","doi-asserted-by":"publisher","DOI":"10.1145\/3410220.3460106"},{"key":"e_1_3_2_60_2","doi-asserted-by":"crossref","unstructured":"Yue Zhang Yuqing Yang and Zhiqiang Lin. 2023. Don\u2019t leak your keys: Understanding measuring and exploiting the AppSecret leaks in mini-programs. arXiv:2306.08151. Retrieved from https:\/\/arxiv.org\/abs\/2306.08151","DOI":"10.1145\/3576915.3616591"},{"key":"e_1_3_2_61_2","doi-asserted-by":"publisher","DOI":"10.1145\/3658644.3670294"},{"key":"e_1_3_2_62_2","doi-asserted-by":"crossref","unstructured":"Kaifa Zhao Le Yu Shiyao Zhou Jing Li Xiapu Luo Yat Fei Aemon Chiu and Yutong Liu. 2022. A fine-grained Chinese software privacy policy dataset for sequence labeling and regulation compliant identification. arXiv:2212.04357. Retrieved from https:\/\/arxiv.org\/abs\/2212.04357","DOI":"10.18653\/v1\/2022.emnlp-main.700"},{"key":"e_1_3_2_63_2","doi-asserted-by":"publisher","DOI":"10.1145\/3605762.3624433"},{"key":"e_1_3_2_64_2","doi-asserted-by":"crossref","unstructured":"Sebastian Zimmeck Ziqi Wang Lieyong Zou Roger Iyengar Bin Liu Florian Schaub Shomir Wilson Norman M. Sadeh Steven M. Bellovin and Joel R. Reidenberg. 2016. Automated analysis of privacy requirements for Mobile Apps. In 2016 AAAI Fall Symposia. AAAI Press. Retrieved from http:\/\/aaai.org\/ocs\/index.php\/FSS\/FSS16\/paper\/view\/14113","DOI":"10.14722\/ndss.2017.23034"}],"container-title":["ACM Transactions on Software Engineering and Methodology"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3709351","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,1]],"date-time":"2025-07-01T13:29:58Z","timestamp":1751376598000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3709351"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,7]]},"references-count":63,"journal-issue":{"issue":"6","published-print":{"date-parts":[[2025,7,31]]}},"alternative-id":["10.1145\/3709351"],"URL":"https:\/\/doi.org\/10.1145\/3709351","relation":{},"ISSN":["1049-331X","1557-7392"],"issn-type":[{"value":"1049-331X","type":"print"},{"value":"1557-7392","type":"electronic"}],"subject":[],"published":{"date-parts":[[2025,7]]},"assertion":[{"value":"2024-01-19","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2024-12-11","order":2,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2025-07-01","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}