With the rapid development of mobile internet, apps have become more and more complex. However, their most used functions are limited to a few pages.
Enter instant app. Instant apps have many advantages over normal apps, such as click-to-play and concise design, and they are becoming more and more popular. There are also some forms of instant app framework in many popular apps, such as Google Play, WeChat, TikTok, etc. In addition, many phone vendors have also embedded instant app frameworks in their pre-installed applications.
However, there is barely any public research on attacking instant apps.
In this talk, we will dive into a common architecture of instant app framework, and demonstrate attack models for it. Based on these attack models, we have reverse engineered top instant app frameworks. We will show how to bypass various kinds of sandboxing and restriction technologies to break isolations between instant apps.
These vulnerabilities could lead to sensitive information leakage, identity theft, account takeover and other severe consequences.In addition, during the study of Google Instant app, we also bypassed component access restrictions, which greatly expands attack surface.
These vulnerabilities and attack models affects more than 60% of Android devices and at least 1 billion users.
Finally, we summarize the root causes of these vulnerabilities at the architectural level and point out the potential attack points. We will also propose practical mitigation measures for specific vulnerabilities.
We hope we could make users and developers aware of the potential security risks while enjoying the convenience of instant apps. We also hope to make security community aware of this emerging new attack surface.