Design Pitfalls in Commercial Mini-Programs on Android and iOS

Presented at Black Hat Europe 2020 Virtual, Dec. 9, 2020, 1:30 p.m. (30 minutes).

A new, commercial mobile-computing paradigm, dubbed app-in-app, is gaining high popularity in the past years. Under the paradigm, a mobile app, called host app or host, operates a set of sub-apps (a.k.a. mini-programs) as its in-app components. These mini-programs give users native app like experience and enriched functionalities (e-commerce, banking, health, travel management, food delivery, etc.), thereby increasing their "stickiness" to the host: one does not need to leave the app if it does everything. Mini-programs are installed by the users from the host's mini-program store, just like Google Play and Apple app store, which fosters an ecosystem around the host app. Wechat, for example, a host with one billion users, has one million mini-programs in its store and 200 million daily mini-program users. Nowadays, this app-in-app paradigm has been hosted by many popular apps such as Wechat, Alipay, TikTok, Baidu, etc., with other app vendors (e.g., Amazon, Google, Microsoft, Samsung, Airbnb, HSBC) actively releasing mini-programs to these hosts.

Mini-programs access system resources (e.g., camera, microphone, location, contacts) through the mediation of the hosts, which developed access control to manage mini-programs, similar to how the OS manages apps. Less clear, however, is whether the host, a third-party app without OS-level privilege, is capable of securely managing system resources and mini-programs. In this research, we show the first systematic security analysis on 11 popular commercial app-in-app ecosystems. We found four new, serious vulnerabilities, which allow the adversary (zero-permission mini-program) to stealthily escalate his privilege (e.g. accessing the camera, photo gallery, microphone, etc.) or acquire sensitive data (e.g. location, passwords of Amazon, Google, etc.). The problems affect all 11 hosts on both Android and iOS, with more than 2.6 billion users. We further discuss the lessons learned and possible mitigation strategies.


Presenters:

  • Haoran Lu - Student, Indiana University Bloomington
    Haoran Lu is a PhD student from the Computer Science Department of Indiana University Bloomington. His research interests lie in the field of mobile security (to identify new attack surfaces and emerging threats in both Android and iOS). He is also interested in data-driven security and privacy.
  • Luyi Xing - Dr., Indiana University Bloomington
    <span>Dr. Luyi Xing joined Indiana University Bloomington (IUB) as an Assistant Professor of Computer Science in 2018 after three years experience of building large commercial systems at Amazon. Now he is co-leading the System Security Group at IUB with Prof. XiaoFeng Wang and Prof. Xiaojing Liao. His current research focus is security analysis on IoT and mobile systems (both iOS and Android), which has led to the discovery of many design/logic vulnerabilities on commercial and open-source systems. His research broadly involves protocol design and analysis, program analysis, formal verification, machine learning/NLP, etc. He is among the very first few practitioners in iOS security research. What his group discovered are typically fundamental design weaknesses, versus implementation bugs/mistakes. With in-depth understanding of systems and innovative, in-depth root cause/challenge analysis, they developed new techniques to protect systems of Apple, Google, Amazon/AWS, Microsoft, Samsung, IBM, Alibaba, PayPal, Firefox, Tencent and much more. His research on OSX, iOS, Android, Cloud has been reported by Time, CNN, Forbes, Mirror, Fox News, Yahoo, CNET, The Register, Sina, 163, Sohu and more.</span>
  • Xiaojing Liao - Assistant Professor, Indiana University Bloomington
    Xiaojing Liao is an Assistant Professor in the Department of Computer Science at Indiana University Bloomington. Her&nbsp;research interest is&nbsp;data-driven security and privacy, with the specific focus on cyber crime, system security, as well as cyber-physical systems security and privacy.

Links:

Similar Presentations: