A Small Leak Will Sink Many Ships: Vulnerabilities Related to Mini Programs Permissions

by   Jianyi Zhang, et al.

As a new format of mobile application, mini programs, which function within a larger app and are built with HTML, CSS, and JavaScript web technology, have become the way to do almost everything in China. This paper presents our research on the permissions of mini programs. We conducted a systematic study on 9 popular mobile app ecosystems, which host over 7 million mini programs, and tested over 2,580 APIs to understand these emerging systems better. We extracted a common abstracted model for mini programs permission control and revealed six categories of potential security vulnerabilities in the permission environments. It is alarming that the current popular mobile app ecosystems (host apps) under study have at least one security vulnerability. We present the corresponding attack methods to dissect these potential weaknesses further to exploit the discovered vulnerabilities. To prove that the revealed vulnerabilities may cause severe consequences in real-world use, we show three kinds of attacks related to the mini programs' permissions. We have responsibly disclosed the newly discovered vulnerabilities, officially confirmed and revised. Finally, we put forward systematic suggestions to strengthen the standardization of mini programs.


page 2

page 4

page 10

page 12


Don't Leak Your Keys: Understanding, Measuring, and Exploiting the AppSecret Leaks in Mini-Programs

Mobile mini-programs in WeChat have gained significant popularity since ...

Revisiting Security Vulnerabilities in Commercial Password Managers

In this work we analyse five popular commercial password managers for se...

Pentest on an Internet Mobile App: A Case Study using Tramonto

Mobile applications are used to handle different types of data. Commonly...

Measuring the Leakage and Exploitability of Authentication Secrets in Super-apps: The WeChat Case

We conduct a large-scale measurement of developers' insecure practices l...

Demystifying RCE Vulnerabilities in LLM-Integrated Apps

In recent years, Large Language Models (LLMs) have demonstrated remarkab...

Do as You Say: Consistency Detection of Data Practice in Program Code and Privacy Policy in Mini-App

Mini-app is an emerging form of mobile application that combines web tec...

A review on the mobile applications developed for COVID-19: An exploratory analysis

The objective of this research is to explore the existing mobile applica...

Please sign up or login with your details

Forgot password? Click here to reset