As a new format of mobile application, mini programs, which function within a larger app and are built with HTML, CSS, and JavaScript web technology, have become the way to do almost everything in China. This paper presents our research on the permissions of mini programs. We conducted a systematic study on 9 popular mobile app ecosystems, which host over 7 million mini programs, and tested over 2,580 APIs to understand these emerging systems better. We extracted a common abstracted model for mini programs permission control and revealed six categories of potential security vulnerabilities in the permission environments. It is alarming that the current popular mobile app ecosystems (host apps) under study have at least one security vulnerability. We present the corresponding attack methods to dissect these potential weaknesses further to exploit the discovered vulnerabilities. To prove that the revealed vulnerabilities may cause severe consequences in real-world use, we show three kinds of attacks related to the mini programs' permissions. We have responsibly disclosed the newly discovered vulnerabilities, officially confirmed and revised. Finally, we put forward systematic suggestions to strengthen the standardization of mini programs.
翻译:作为移动应用的新格式,小型程序在大型应用程序中发挥作用,并使用HTML、CSS和JavaScript网络技术建立,已成为中国几乎所有事情都能做的方法。本文介绍了我们对小型程序许可情况的研究。我们对9个流行的移动应用程序生态系统进行了系统研究,该软件拥有700多万个小型程序,并测试了2 580多个API系统,以更好地了解这些新兴系统。我们为小型程序许可控制提取了一个共同的抽象模型,并披露了许可环境中六类潜在的安全脆弱性。令人吃惊的是,正在研究的目前流行的移动应用程序生态系统(主机应用程序)至少有一种安全脆弱性。我们提出了相应的攻击方法,进一步解析这些潜在弱点,以利用发现的弱点。为了证明暴露出来的弱点可能会给现实世界的使用带来严重后果,我们展示了三种与小型程序许可有关的攻击。我们以负责任的方式披露了新发现的弱点,正式确认并修订了这些弱点。最后,我们提出了系统性的建议,以加强小型程序标准化。