{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,8,2]],"date-time":"2025-08-02T14:33:19Z","timestamp":1754145199544,"version":"3.41.2"},"reference-count":54,"publisher":"Association for Computing Machinery (ACM)","issue":"ISSTA","funder":[{"name":"Natural Science Foundation of Tianjin of China","award":["23JCYBJC00320"],"award-info":[{"award-number":["23JCYBJC00320"]}]},{"name":"Tianjin Key Science and Technology Project","award":["24HHXCSS00004,24HHXCSS00006"],"award-info":[{"award-number":["24HHXCSS00004,24HHXCSS00006"]}]},{"DOI":"10.13039\/501100001809","name":"the National Natural Science Foundation of China","doi-asserted-by":"crossref","award":["62002177, 62032012, 62172435"],"award-info":[{"award-number":["62002177, 62032012, 62172435"]}],"id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"crossref"}]},{"DOI":"10.13039\/501100012166","name":"National Key Research and Development Program of China","doi-asserted-by":"publisher","award":["2022YFB3102900"],"award-info":[{"award-number":["2022YFB3102900"]}],"id":[{"id":"10.13039\/501100012166","id-type":"DOI","asserted-by":"publisher"}]},{"name":"the Open Fund of Anhui Province Key Laboratory of Cyberspace Security Situation Awareness and Evaluation","award":["CSSAE-2023-001"],"award-info":[{"award-number":["CSSAE-2023-001"]}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Proc. ACM Softw. Eng."],"published-print":{"date-parts":[[2025,6,22]]},"abstract":"<jats:p>The \"app-in-app\" paradigm is an emerging trend in mobile systems, where super applications (short for superApps) such as WeChat, Baidu, TikTok, enable external vendors to develop mini-programs (short for miniApps) on their platforms by providing privileged APIs. To facilitate management, superApps have devised their specific permission configuration (called scope) to grant the APIs access to specific capabilities and resources. Adhering to these scopes during API implementation is crucial for maintaining security; otherwise, the permission management of superApps can be bypassed\u2014a vulnerability we refer to as API-scope misalignment.  \nIn this work, we conduct the first systematic study on the API-scope misalignment issues in the app-in-app ecosystems, uncovering root causes and security risks. More importantly, we developed an automatic tool called ScopeChecker to detect the API-scope misalignment in both superApps and miniApps. ScopeChecker extracts the standard API-scope mappings by integrating the Android permission mechanism into the functionalities of superApps. Then, LLM-based code generation is used to create executable API snippets as test cases. The execution results reflect the actual mappings of APIs to their scopes, which are compared with the standard API-scope mappings to identify misalignment. After that, ScopeChecker verifies the identified misalignment in miniApps by matching the misaligned APIs with a tailored method-oriented abstract syntax tree (MAST) of the target miniApp. ScopeChecker identified 38 misaligned APIs in top superApps with manual confirmation, outperforming the state-of-the-art miniApp-focused test methods. As a highlight, we received 11 positive responses from the superApp developers and CNVD, encompassing 9 vulnerability confirmations with rewards: 1 high-risk, 7 medium-risk, and 1 low-risk. To assess prevalence, ScopeChecker evaluated 42\ud835\udc58+ miniApps, and found 51% had API-scope misalignment, averaging 1.4 misaligned APIs each. At last, we illustrated 4 types of security threats raised by the API-scope misalignment by analyzing real-world exploitation cases.<\/jats:p>","DOI":"10.1145\/3728962","type":"journal-article","created":{"date-parts":[[2025,6,22]],"date-time":"2025-06-22T10:52:56Z","timestamp":1750589576000},"page":"1933-1954","source":"Crossref","is-referenced-by-count":0,"title":["Uncovering API-Scope Misalignment in the App-in-App Ecosystem"],"prefix":"10.1145","volume":"2","author":[{"ORCID":"https:\/\/orcid.org\/0009-0000-6549-9525","authenticated-orcid":false,"given":"Jiarui","family":"Che","sequence":"first","affiliation":[{"name":"College of Computer Science, Nankai University, Tianjin, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-1510-6548","authenticated-orcid":false,"given":"Chenkai","family":"Guo","sequence":"additional","affiliation":[{"name":"College of Cryptology and Cyber Science, Nankai University, Tianjin, China"},{"name":"Haihe Lab of ITAI, Tianjin, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-8248-3362","authenticated-orcid":false,"given":"Naipeng","family":"Dong","sequence":"additional","affiliation":[{"name":"School of Electrical Engineering and Computer Science, University of Queensland, Brisbane, Australia"}]},{"ORCID":"https:\/\/orcid.org\/0009-0000-6979-0790","authenticated-orcid":false,"given":"Jiaqi","family":"Pei","sequence":"additional","affiliation":[{"name":"College of Cryptology and Cyber Science, Nankai University, Tianjin, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-2428-9297","authenticated-orcid":false,"given":"Lingling","family":"Fan","sequence":"additional","affiliation":[{"name":"College of Cryptology and Cyber Science, Nankai University, Tianjin, China"}]},{"ORCID":"https:\/\/orcid.org\/0009-0004-9433-3291","authenticated-orcid":false,"given":"Xun","family":"Mi","sequence":"additional","affiliation":[{"name":"College of Cryptology and Cyber Science, Nankai University, Tianjin, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-8245-8415","authenticated-orcid":false,"given":"Xueshuo","family":"Xie","sequence":"additional","affiliation":[{"name":"Haihe Lab of ITAI, Tianjin, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-3225-4649","authenticated-orcid":false,"given":"Xiangyang","family":"Luo","sequence":"additional","affiliation":[{"name":"State Key Laboratory of Mathematical Engineering and Advanced Computing, Zhengzhou, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-2984-2661","authenticated-orcid":false,"given":"Zheli","family":"Liu","sequence":"additional","affiliation":[{"name":"DISSec, College of Cryptology and Cyber Science, Nankai University, Tianjin, China"}]},{"ORCID":"https:\/\/orcid.org\/0009-0001-8764-8605","authenticated-orcid":false,"given":"Renhong","family":"Cheng","sequence":"additional","affiliation":[{"name":"College of Computer Science, Nankai University, Tianjin, China"}]}],"member":"320","published-online":{"date-parts":[[2025,6,22]]},"reference":[{"key":"e_1_2_1_1_1","first-page":"1164","volume-title":"Proceedings of the 2018 ACM CCS","author":"Aafer Yousra","year":"2018","unstructured":"Yousra Aafer, Guanhong Tao, Jianjun Huang, Xiangyu Zhang, and Ninghui Li. Precise android api protection mapping derivation and reasoning. In Proceedings of the 2018 ACM CCS, pages 1151\u20131164, 2018."},{"key":"e_1_2_1_2_1","volume-title":"Gpt-4 technical report. arXiv preprint arXiv:2303.08774","author":"Team The","year":"2023","unstructured":"The OpenAI Team. Gpt-4 technical report. arXiv preprint arXiv:2303.08774, 2023."},{"key":"e_1_2_1_3_1","first-page":"1030","volume-title":"Proceedings of the 32nd ISSTA","author":"Alonso Juan C","year":"2023","unstructured":"Juan C Alonso, Sergio Segura, and Antonio Ruiz-Cort\u00e9s. AGORA: automated generation of test oracles for REST APIs. In Proceedings of the 32nd ISSTA, pages 1018\u20131030, 2023."},{"key":"e_1_2_1_4_1","volume-title":"android jdk. https:\/\/developer.android.google.cn\/reference\/packages","author":"ANDROID.","year":"2007","unstructured":"ANDROID. android jdk. https:\/\/developer.android.google.cn\/reference\/packages, 2007."},{"volume-title":"astexploer. https:\/\/github.com\/fkling\/astexplorer","year":"2017","key":"e_1_2_1_5_1","unstructured":"fkling. astexploer. https:\/\/github.com\/fkling\/astexplorer, 2017."},{"key":"e_1_2_1_6_1","first-page":"1118","volume-title":"Proceedings of the USENIX security","author":"Backes Michael","year":"2016","unstructured":"Michael Backes, Sven Bugiel, Erik Derr, Patrick McDaniel, Damien Octeau, and Sebastian Weisgerber. On demystifying the android application framework:\u211c-Visiting android permission specification analysis. In Proceedings of the USENIX security, pages 1101\u20131118, 2016."},{"key":"e_1_2_1_7_1","first-page":"14722","volume-title":"Giovanni Vigna. Obfuscation-Resilient Privacy Leak Detection for Mobile Apps Through Differential Analysis. In Proceedings of NDSS","volume":"17","author":"Continella Andrea","year":"2017","unstructured":"Andrea Continella, Yanick Fratantonio, Martina Lindorfer, Alessandro Puccetti, Ali Zand, Christopher Kruegel, and Giovanni Vigna. Obfuscation-Resilient Privacy Leak Detection for Mobile Apps Through Differential Analysis. In Proceedings of NDSS, volume 17, pages 10\u201314722, 2017."},{"key":"e_1_2_1_8_1","first-page":"56","volume-title":"Proceedings of the 22nd ACM CCS","author":"Deng Zhui","year":"2015","unstructured":"Zhui Deng, Brendan Saltaformaggio, Xiangyu Zhang, and Dongyan Xu. iris: Vetting private api abuse in ios applications. In Proceedings of the 22nd ACM CCS, pages 44\u201356, 2015."},{"key":"e_1_2_1_9_1","volume-title":"Alipay Documentation Center. https:\/\/opendocs.alipay.com\/mini\/api","author":"Teams Alipay Development","year":"2023","unstructured":"Alipay Development Teams. Alipay Documentation Center. https:\/\/opendocs.alipay.com\/mini\/api, 2023."},{"key":"e_1_2_1_10_1","volume-title":"Baidu Smart Mini Program Documentation Center. https:\/\/smartprogram.baidu.com\/docs\/develop\/api\/apilist\/","author":"Teams Baidu Development","year":"2023","unstructured":"Baidu Development Teams. Baidu Smart Mini Program Documentation Center. https:\/\/smartprogram.baidu.com\/docs\/develop\/api\/apilist\/, 2023."},{"key":"e_1_2_1_11_1","volume-title":"Tencent QQ Documentation. https:\/\/q.qq.com\/wiki\/develop\/miniprogram\/API\/","author":"Development Teams Tencent QQ","year":"2023","unstructured":"Tencent QQ Development Teams. Tencent QQ Documentation. https:\/\/q.qq.com\/wiki\/develop\/miniprogram\/API\/, 2023."},{"key":"e_1_2_1_12_1","volume-title":"Douyin Developer Platform. https:\/\/developer.open-douyin.com\/docs\/resource\/zh-CN\/mini-app\/develop\/api\/overview","author":"Chinese Development Teams TikTok","year":"2023","unstructured":"TikTok Chinese Development Teams. Douyin Developer Platform. https:\/\/developer.open-douyin.com\/docs\/resource\/zh-CN\/mini-app\/develop\/api\/overview, 2023."},{"key":"e_1_2_1_13_1","volume-title":"WeChat Official Development Documentation. https:\/\/developers.weixin.qq.com\/miniprogram\/dev\/api\/","author":"Development Teams WeChat","year":"2023","unstructured":"WeChat Development Teams. WeChat Official Development Documentation. https:\/\/developers.weixin.qq.com\/miniprogram\/dev\/api\/, 2023."},{"volume-title":"eval5. https:\/\/github.com\/bplok20010\/eval5","year":"2020","key":"e_1_2_1_14_1","unstructured":"bplok20010. eval5. https:\/\/github.com\/bplok20010\/eval5, 2020."},{"key":"e_1_2_1_15_1","first-page":"638","volume-title":"Proceedings of the 18th ACM CCS","author":"Felt Adrienne Porter","year":"2011","unstructured":"Adrienne Porter Felt, Erika Chin, Steve Hanna, Dawn Song, and David Wagner. Android permissions demystified. In Proceedings of the 18th ACM CCS, pages 627\u2013638, 2011."},{"key":"e_1_2_1_16_1","first-page":"307","volume-title":"Proceedings of TRUST","author":"Gibler Clint","unstructured":"Clint Gibler, Jonathan Crussell, Jeremy Erickson, and Hao Chen. Androidleaks: Automatically detecting potential privacy leaks in android applications on a large scale. In Proceedings of TRUST, pages 291\u2013307. Springer, 2012."},{"key":"e_1_2_1_17_1","volume-title":"https:\/\/platform.openai.com\/docs\/models\/gpt-4-and-gpt-4-turbo","author":"Team The","year":"2023","unstructured":"The OpenAI Team. GPT4-api. https:\/\/platform.openai.com\/docs\/models\/gpt-4-and-gpt-4-turbo, 2023."},{"key":"e_1_2_1_18_1","first-page":"1004","volume-title":"Proceedings of the 32nd ISSTA","author":"Hu Jiajun","year":"2023","unstructured":"Jiajun Hu, Lili Wei, Yepang Liu, and Shing-Chi Cheung. \u03c9Test: WebView-Oriented Testing for Android Applications. In Proceedings of the 32nd ISSTA, pages 992\u20131004, 2023."},{"key":"e_1_2_1_19_1","volume-title":"Stuart Steiner, and Jim Alves-Foss. Analysis of web browser security configuration options. KSII Transactions on Internet and Information Systems (TIIS), 12(12):6139\u20136160","author":"Jillepalli Ananth A","year":"2018","unstructured":"Ananth A Jillepalli, Daniel Conte de Leon, Stuart Steiner, and Jim Alves-Foss. Analysis of web browser security configuration options. KSII Transactions on Internet and Information Systems (TIIS), 12(12):6139\u20136160, 2018."},{"key":"e_1_2_1_20_1","first-page":"100048","volume-title":"Natural Language Processing Journal","author":"Kalyan Katikapalli Subramanyam","year":"2023","unstructured":"Katikapalli Subramanyam Kalyan. A survey of GPT-3 family large language models including ChatGPT and GPT-4. Natural Language Processing Journal, pages 100048, 2023."},{"key":"e_1_2_1_21_1","first-page":"291","volume-title":"Proceedings of ICSE","volume":"1","author":"Li Li","year":"2015","unstructured":"Li Li, Alexandre Bartel, Tegawend\u00e9 F. Bissyand\u00e9, Jacques Klein, Yves Le Traon, Steven Arzt, Siegfried Rasthofer, Eric Bodden, Damien Octeau, and Patrick McDaniel. Iccta: Detecting inter-component privacy leaks in android apps. In Proceedings of ICSE, volume 1, pages 280\u2013291, 2015."},{"key":"e_1_2_1_22_1","first-page":"163","volume-title":"Proceedings of the 27th ISSTA","author":"Li Li","year":"2018","unstructured":"Li Li, Tegawend\u00e9 F. Bissyand\u00e9, Haoyu Wang, and Jacques Klein. Cid: Automating the detection of api-related compatibility issues in android apps. In Proceedings of the 27th ISSTA, pages 153\u2013163, 2018."},{"key":"e_1_2_1_23_1","first-page":"252","volume-title":"Lingming Zhang. A Large-scale Study on API Misuses in the Wild. In 2021 14th IEEE conference on software testing, verification and validation (ICST)","author":"Li Xia","unstructured":"Xia Li, Jiajun Jiang, Samuel Benton, Yingfei Xiong, and Lingming Zhang. A Large-scale Study on API Misuses in the Wild. In 2021 14th IEEE conference on software testing, verification and validation (ICST), pages 241\u2013252. IEEE, 2021."},{"key":"e_1_2_1_24_1","first-page":"1250","volume-title":"Proceedings of ICSE","author":"Li Zongjie","year":"2023","unstructured":"Zongjie Li, Chaozheng Wang, Zhibo Liu, Haoxuan Wang, Dong Chen, Shuai Wang, and Cuiyun Gao. Cctest: Testing and repairing code completion systems. In Proceedings of ICSE, pages 1238\u20131250, 2023."},{"key":"e_1_2_1_25_1","volume-title":"IEEE TDSC","author":"Li Wei","year":"2023","unstructured":"Wei Li, Borui Yang, Hangyu Ye, Liyao Xiang, Qingxiao Tao, Xinbing Wang, and Chenghu Zhou. MiniTracker: Large-Scale Sensitive Information Tracking in Mini Apps. IEEE TDSC, 2023."},{"key":"e_1_2_1_26_1","volume-title":"IEEE TIFS","author":"Li Shuai","year":"2024","unstructured":"Shuai Li, Zhemin Yang, Yunteng Yang, Dingyi Liu, and Min Yang. Identifying Cross-User Privacy Leakage in Mobile Mini-Apps at A Large Scale. IEEE TIFS, 2024."},{"key":"e_1_2_1_27_1","first-page":"487","volume-title":"Proceedings of the 9th joint meeting on foundations of software engineering","author":"Linares-V\u00e1squez Mario","year":"2013","unstructured":"Mario Linares-V\u00e1squez, Gabriele Bavota, Carlos Bernal-C\u00e1rdenas, Massimiliano Di Penta, Rocco Oliveto, and Denys Poshyvanyk. Api change and fault proneness: A threat to the success of android apps. In Proceedings of the 9th joint meeting on foundations of software engineering, pages 477\u2013487, 2013."},{"key":"e_1_2_1_28_1","first-page":"628","volume-title":"Proceedings of the 31st ISSTA","author":"Liu Pei","year":"2022","unstructured":"Pei Liu, Yanjie Zhao, Haipeng Cai, Mattia Fazzini, John Grundy, and Li Li. Automatically detecting api-induced compatibility issues in android apps: a comparative analysis (replicability study). In Proceedings of the 31st ISSTA, pages 617\u2013628, 2022."},{"key":"e_1_2_1_29_1","first-page":"543","volume-title":"Proceedings of the 28th ACM International Conference on Architectural Support for Programming Languages and Operating Systems","volume":"2","author":"Liu Jiawei","year":"2023","unstructured":"Jiawei Liu, Jinkun Lin, Fabian Ruffy, Cheng Tan, Jinyang Li, Aurojit Panda, and Lingming Zhang. Nnsmith: Generating diverse and valid test cases for deep learning compilers. In Proceedings of the 28th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 2, pages 530\u2013543, 2023."},{"key":"e_1_2_1_30_1","first-page":"585","volume-title":"Proceedings of the ACM CCS","author":"Lu Haoran","year":"2020","unstructured":"Haoran Lu, Luyi Xing, Yue Xiao, Yifan Zhang, Xiaojing Liao, XiaoFeng Wang, and Xueqiang Wang. Demystifying resource management risks in emerging mobile app-in-app ecosystems. In Proceedings of the ACM CCS, pages 569\u2013585, 2020."},{"key":"e_1_2_1_31_1","first-page":"420","volume-title":"Proceedings of the 30th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering","author":"Martin-Lopez Alberto","year":"2022","unstructured":"Alberto Martin-Lopez, Sergio Segura, and Antonio Ruiz-Cort\u00e9s. Online testing of RESTful APIs: Promises and challenges. In Proceedings of the 30th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering, pages 408\u2013420, 2022."},{"key":"e_1_2_1_32_1","first-page":"1415","volume-title":"Haoyu Wang. Wemint: Tainting Sensitive Data Leaks in WeChat Mini-Programs. In Proceedings of ASE","author":"Meng Shi","year":"2023","unstructured":"Shi Meng, Liu Wang, Shenao Wang, Kailong Wang, Xusheng Xiao, Guangdong Bai, and Haoyu Wang. Wemint: Tainting Sensitive Data Leaks in WeChat Mini-Programs. In Proceedings of ASE, pages 1403\u20131415, 2023."},{"key":"e_1_2_1_33_1","first-page":"332","volume-title":"Proceedings of the 5th ACM symposium on information, computer and communications security","author":"Nauman Mohammad","year":"2010","unstructured":"Mohammad Nauman, Sohail Khan, and Xinwen Zhang. Apex: extending android permission model and enforcement with user-defined runtime constraints. In Proceedings of the 5th ACM symposium on information, computer and communications security, pages 328\u2013332, 2010."},{"key":"e_1_2_1_34_1","first-page":"55","volume-title":"Proceedings of the 5th international conference on mobile software engineering and systems","author":"Scoccia Gian Luca","year":"2018","unstructured":"Gian Luca Scoccia, Stefano Ruberto, Ivano Malavolta, Marco Autili, and Paola Inverardi. An investigation into Android run-time permissions from the end users\u2019 perspective. In Proceedings of the 5th international conference on mobile software engineering and systems, pages 45\u201355, 2018."},{"key":"e_1_2_1_35_1","first-page":"149","volume-title":"Companion Proceedings for the ISSTA\/ECOOP 2018 Workshops","author":"Schuler Andreas","year":"2018","unstructured":"Andreas Schuler and Gabriele Anderst-Kotsis. Towards a framework for detecting energy drain in mobile applications: An architecture overview. In Companion Proceedings for the ISSTA\/ECOOP 2018 Workshops, pages 144\u2013149, 2018."},{"key":"e_1_2_1_36_1","volume-title":"IEEE TSE","author":"Sch\u00e4fer Max","year":"2023","unstructured":"Max Sch\u00e4fer, Sarah Nadi, Aryaz Eghbali, and Frank Tip. An empirical evaluation of using large language models for automated unit test generation. IEEE TSE, 2023."},{"key":"e_1_2_1_37_1","first-page":"2735","volume-title":"Proceedings of KDD","author":"Svyatkovskiy Alexey","year":"2019","unstructured":"Alexey Svyatkovskiy, Ying Zhao, Shengyu Fu, and Neel Sundaresan. Pythia: ai-assisted code completion system. In Proceedings of KDD, pages 2727\u20132735, 2019."},{"key":"e_1_2_1_38_1","first-page":"224","volume-title":"Proceedings of the 40th International Conference on Software Engineering: Software Engineering in Practice","author":"Toffalini Flavio","year":"2018","unstructured":"Flavio Toffalini, Jun Sun, and Mart\u00edn Ochoa. Static analysis of context leaks in android applications. In Proceedings of the 40th International Conference on Software Engineering: Software Engineering in Practice, pages 215\u2013224, 2018."},{"issue":"1","key":"e_1_2_1_39_1","first-page":"185","article-title":"Runtime permission issues in android apps: Taxonomy, practices, and ways forward","volume":"49","author":"Wang Ying","year":"2022","unstructured":"Ying Wang, Yibo Wang, Sinan Wang, Yepang Liu, Chang Xu, Shing-Chi Cheung, Hai Yu, and Zhiliang Zhu. Runtime permission issues in android apps: Taxonomy, practices, and ways forward. IEEE TSE, 49(1):185\u2013210, 2022.","journal-title":"IEEE TSE"},{"key":"e_1_2_1_40_1","first-page":"944","volume-title":"Proceedings of ICSE","author":"Wang Chao","year":"2023","unstructured":"Chao Wang, Ronny Ko, Yue Zhang, Yuqing Yang, and Zhiqiang Lin. Taintmini: Detecting flow of sensitive data in mini-programs with static taint analysis. In Proceedings of ICSE, pages 932\u2013944, 2023."},{"key":"e_1_2_1_41_1","first-page":"6646","volume-title":"Zhiqiang Lin. One Size Does Not Fit All: Uncovering and Exploiting Cross Platform Discrepant APIs in WeChat. In Proceedings of the USENIX Security","author":"Wang Chao","year":"2023","unstructured":"Chao Wang, Yue Zhang, and Zhiqiang Lin. One Size Does Not Fit All: Uncovering and Exploiting Cross Platform Discrepant APIs in WeChat. In Proceedings of the USENIX Security, pages 6629\u20136646, 2023."},{"key":"e_1_2_1_42_1","volume-title":"Uncovering and Exploiting Hidden APIs in Mobile Super Apps. arXiv preprint arXiv:2306.08134","author":"Wang Chao","year":"2023","unstructured":"Chao Wang, Yue Zhang, and Zhiqiang Lin. Uncovering and Exploiting Hidden APIs in Mobile Super Apps. arXiv preprint arXiv:2306.08134, 2023."},{"key":"e_1_2_1_43_1","volume-title":"MiniScope: Automated UI Exploration and Privacy Inconsistency Detection of MiniApps via Two-phase Iterative Hybrid Analysis. CoRR, abs\/2401.03218","author":"Wang Shenao","year":"2024","unstructured":"Shenao Wang, Yuekang Li, Kailong Wang, Yi Liu, Hui Li, Yang Liu, and Haoyu Wang. MiniScope: Automated UI Exploration and Privacy Inconsistency Detection of MiniApps via Two-phase Iterative Hybrid Analysis. CoRR, abs\/2401.03218, 2024."},{"key":"e_1_2_1_44_1","first-page":"40","volume-title":"Proceedings of the 28th Annual Computer Security Applications Conference","author":"Wei Xuetao","year":"2012","unstructured":"Xuetao Wei, Lorenzo Gomez, Iulian Neamtiu, and Michalis Faloutsos. Permission evolution in the android ecosystem. In Proceedings of the 28th Annual Computer Security Applications Conference, pages 31\u201340, 2012."},{"key":"e_1_2_1_45_1","first-page":"1262","volume-title":"Proceedings of the USENIX security","author":"Wong Michelle Y","year":"2018","unstructured":"Michelle Y Wong and David Lie. Tackling runtime-based obfuscation in android with TIRO. In Proceedings of the USENIX security, pages 1247\u20131262, 2018."},{"key":"e_1_2_1_46_1","first-page":"13","volume-title":"Proceedings of the 32nd ISSTA","author":"Wu Shuohan","year":"2023","unstructured":"Shuohan Wu, Jianfeng Li, Hao Zhou, Yongsheng Fang, Kaifa Zhao, Haoyu Wang, Chenxiong Qian, and Xiapu Luo. CydiOS: A Model-Based Testing Framework for iOS Apps. In Proceedings of the 32nd ISSTA, pages 1\u201313, 2023."},{"volume-title":"Open capabilities\/user information\/authorisation. WeChat Official Document","year":"2018","key":"e_1_2_1_47_1","unstructured":"Wechat. Open capabilities\/user information\/authorisation. WeChat Official Document, 2018."},{"key":"e_1_2_1_48_1","first-page":"536","volume-title":"Proceedings of the 9th ACM symposium on Information, computer and communications security","author":"Yang Kun","year":"2014","unstructured":"Kun Yang, Jianwei Zhuge, Yongke Wang, Lujue Zhou, and Haixin Duan. IntentFuzzer: detecting capability leaks of android applications. In Proceedings of the 9th ACM symposium on Information, computer and communications security, pages 531\u2013536, 2014."},{"key":"e_1_2_1_49_1","first-page":"3092","volume-title":"Proceedings of the ACM CCS","author":"Yang Yuqing","year":"2022","unstructured":"Yuqing Yang, Yue Zhang, and Zhiqiang Lin. Cross miniapp request forgery: Root causes, attacks, and vulnerability detection. In Proceedings of the ACM CCS, pages 3079\u20133092, 2022."},{"key":"e_1_2_1_50_1","doi-asserted-by":"publisher","DOI":"10.1145\/3460081"},{"key":"e_1_2_1_51_1","first-page":"1613","volume-title":"Proceedings of the USENIX Security","author":"Zhang Lei","year":"2022","unstructured":"Lei Zhang, Zhibo Zhang, Ancong Liu, Yinzhi Cao, Xiaohan Zhang, Yanjun Chen, Yuan Zhang, Guangliang Yang, and Min Yang. Identity confusion in WebView-based mobile app-in-app ecosystems. In Proceedings of the USENIX Security, pages 1597\u20131613, 2022."},{"key":"e_1_2_1_52_1","volume-title":"Don\u2019t Leak Your Keys: Understanding, Measuring, and Exploiting the AppSecret Leaks in Mini-Programs. arXiv preprint arXiv:2306.08151","author":"Zhang Yue","year":"2023","unstructured":"Yue Zhang, Yuqing Yang, and Zhiqiang Lin. Don\u2019t Leak Your Keys: Understanding, Measuring, and Exploiting the AppSecret Leaks in Mini-Programs. arXiv preprint arXiv:2306.08151, 2023."},{"key":"e_1_2_1_53_1","first-page":"2425","volume-title":"Proceedings of the ACM CCS","author":"Zhang Yue","year":"2023","unstructured":"Yue Zhang, Yuqing Yang, and Zhiqiang Lin. Don\u2019t leak your keys: Understanding, measuring, and exploiting the appsecret leaks in mini-programs. In Proceedings of the ACM CCS, pages 2411\u20132425, 2023."},{"key":"e_1_2_1_54_1","first-page":"606","volume-title":"Proceedings of COMPSAC","author":"Zhang Jianyi","year":"2023","unstructured":"Jianyi Zhang, Leixin Yang, Yuyang Han, Zixiao Xiang, and Xiali Hei. A Small Leak Will Sink Many Ships: Vulnerabilities Related to mini-programs Permissions. In Proceedings of COMPSAC, pages 595\u2013606, 2023."}],"container-title":["Proceedings of the ACM on Software Engineering"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3728962","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,16]],"date-time":"2025-07-16T16:47:06Z","timestamp":1752684426000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3728962"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,6,22]]},"references-count":54,"journal-issue":{"issue":"ISSTA","published-print":{"date-parts":[[2025,6,22]]}},"alternative-id":["10.1145\/3728962"],"URL":"https:\/\/doi.org\/10.1145\/3728962","relation":{},"ISSN":["2994-970X"],"issn-type":[{"type":"electronic","value":"2994-970X"}],"subject":[],"published":{"date-parts":[[2025,6,22]]}}}