Baskaran, Supraja (2023) Measuring the Leakage and Exploitability of Authentication Secrets in Super-apps: The WeChat Case. Masters thesis, Concordia University.
Preview |
Text (application/pdf)
1MBBaskaran_MASc_S2024.pdf - Accepted Version Available under License Spectrum Terms of Access. |
Abstract
Super-apps such as WeChat and Baidu host millions of mini-apps, which are very popular among users and developers because of the mini-apps' convenience, lightweight, ease of sharing, and not requiring explicit installation. Such ecosystems involve several entities, such as the super-app and mini-app clients, the super-app backend server, the mini-app developer server, and other hosting platforms and services used by the mini-app developer. To support various user-level functionalities, these components must authenticate each other, which is different from regular user authentication to the super-app platform. In this paper, we explore the mini-app to super-app authentication problem, where mini-app code gets authenticated to access super-app services on the developer's behalf.
We conduct a large-scale measurement of developers' insecure practices leading to mini-app to super-app authentication flaws, among which hard-coding developer secrets for such authentication is a major contributor. We also analyze the exploitability and security consequences of these authentication flaws by examining individual super-app server-side APIs. We develop an analysis framework for measuring such authentication flaws, and primarily analyze 110,993 WeChat mini-apps, and 10,000 Baidu mini-apps (two of the most prominent super-app platforms), along with a few more datasets to test the evolution of developer practices and platform security enforcements over time. We found a large number of WeChat mini-apps (36,425, 32.8%) and a few Baidu mini-apps (112) leak their developer secrets, which can cause severe security and privacy problems for the users and developers of mini-apps. A network attacker who does not even have an account on the super-app platform, can effectively take down a mini-app, send malicious and phishing links to users, and access sensitive information of the mini-app developer and its users. We responsibly disclosed our findings and also put forward potential directions that could be considered to alleviate/eliminate the root causes of these authentication flaws.
Divisions: | Concordia University > Gina Cody School of Engineering and Computer Science > Concordia Institute for Information Systems Engineering |
---|---|
Item Type: | Thesis (Masters) |
Authors: | Baskaran, Supraja |
Institution: | Concordia University |
Degree Name: | M.A. Sc. |
Program: | Information Systems Security |
Date: | 9 October 2023 |
Thesis Supervisor(s): | Mannan, Mohammad and Youssef, Amr |
Keywords: | Authentication, Mini-app Security, WeChat, Hard-coded Secrets |
ID Code: | 993109 |
Deposited By: | Supraja Baskaran |
Deposited On: | 05 Jun 2024 16:17 |
Last Modified: | 05 Jun 2024 16:17 |
References:
Adchina. The Power of the Baidu Super-App. 2022.Alipay. Get Access Token API. 2023.
---. Mini-App Framework Demystified. 2022.
Baidu. Get Access Token API. 2023.
---. Get Session Key API. 2023.
---. Mini-App Directory Structure. 2023.
Baskaran, Supraja, et al. ‘Measuring the Leakage and Exploitability of Authentication Secrets in Super-Apps: The WeChat Case’. Proceedings of the ACM SIGSAC Conference on Computer and Communications Security, 2023.
Bhuiyan, Farzana Ahamed, and Akond Rahman. ‘Characterizing Co-Located Insecure Coding Patterns in Infrastructure as Code Scripts’. IEEE/ACM Conference on Automated Software Engineering Workshops, 2020.
ByteDance. Duoyin. 2023.
---. Tiktok - Overseas Version of Duoyin. 2023.
Cheng, Ao, et al. ‘An Exploratory Analysis of Travel-Related WeChat Mini Program Usage: Affordance Theory Perspective’. Information and Communication Technologies in Tourism, 2019.
Chinese article. Extracting WeChat Mini-Apps under Windows. 2022.
DingTalk. Mini-App API Documentation. 2023.
Dong, Shuaike, et al. ‘Understanding Android Obfuscation Techniques: A Large-Scale Investigation in the Wild’. Security and Privacy in Communication Networks, 2018.
Duoyin. Get Access Token API. 2023.
---. Safety Guidelines. 2023.
Fan, Ming, et al. ‘An Empirical Evaluation of GDPR Compliance Violations in Android mHealth Apps’. IEEE 31st International Symposium on Software Reliability Engineering, 2020.
GitHub. WeChat Mini-Apps Unpacker. 2023.
---. Wxapkg Decryptor. 2023.
Guo, Mingjia, et al. ‘How Are Extraversion, Exhibitionism, and Gender Associated with Posting Selfies on WeChat Friends’ Circle in Chinese Teenagers?’ Personality and Individual Differences, vol. 127, June 2018, pp. 114–16.
Hao, Lei, et al. ‘Analysis of the Development of WeChat Mini Program’. Journal of Physics: Conference Series, vol. 1087, no. 6, Sept. 2018, p. 062040.
Hu, Pili, et al. ‘Application Impersonation: Problems of OAuth and API Design in Online Social Networks’. Proceedings of the Second ACM Conference on Online Social Networks, 2014.
Lien, Che Hui, and Yang Cao. ‘Examining WeChat Users’ Motivations, Trust, Attitudes, and Positive Word-of-Mouth: Evidence from China’. Computers in Human Behavior, vol. 41, Dec. 2014, pp. 104–11.
Lin, Yubei, et al. ‘Exploration and Practice on Intelligent Teaching Patterns Based on WeChat Mini Program’. Proceedings of the 9th International Conference on Educational and Information Technology, 2020.
Liu, Yanyan, et al. ‘Development and Usability Test of a Symptom Management WeChat Mini Program for Parents of Children with Cancer’. Asia-Pacific Journal of Oncology Nursing, vol. 9, no. 12, Dec. 2022, p. 100166.
Lu, Haoran, et al. ‘Demystifying Resource Management Risks in Emerging Mobile App-in-App Ecosystems’. Proceedings of the ACM SIGSAC Conference on Computer and Communications Security, 2020.
Meli, Michael, et al. ‘How Bad Can It Git? Characterizing Secret Leakage in Public GitHub Repositories’. Network and Distributed Systems Security Symposium, 2019.
Microsoft. Detect Secrets - Credentials Scanning Tool. 2023.
Mitre. CWE Top 25. 2023.
NPM. Wx-Server-Sdk - Cloud Call Npm Package. 2023.
NVD. CVSS Calculator. 2023.
OWASP. OWASP Top 10 API. 2023.
Paytm. Mini-App API Documentation. 2023.
Possemato, Andrea, and Yanick Fratantonio. ‘Towards HTTPS Everywhere on Android: We Are Not There Yet’. 29th USENIX Security Symposium (USENIX Security 20), 2020.
Postman. Postman API Platform. 2023.
Property Guru for Business. The Power of the WeChat Super-App. 2023.
QQ. Mini-App API Documentation. 2023.
Saha, Aakanksha, et al. ‘Secrets in Source Code: Reducing False Positives Using Machine Learning’. Conference on Communication Systems & Networks, 2020.
Scmp.com. WeChat Mini Programs for Banking Pose `significant’ Risks of Personal Data Leakage. 2021.
Shi, Shangcheng, et al. ‘MoSSOT: An Automated Blackbox Tester for Single Sign-on Vulnerabilities in Mobile Applications’. Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security, 2019.
Sinha, Vibha Singhal, et al. ‘Detecting and Mitigating Secret-Key Leaks in Source Code Repositories’. IEEE/ACM 12th Working Conference on Mining Software Repositories, 2015.
Sixthtone. China’s `mini-Apps’ Have Big Privacy Issues, Report Says. 2020.
Tencent. Tencent Cloud API Overview. 2023.
Time Business News. WeChat Mini-Apps Risk Data Leaks. 2021.
U.S. department of health and human services. The Belmont Report - Ethical Principles and Guidelines for the Protection of Human Subjects of Research. 2018.
Wang, Hui, Yuanyuan Zhang, Juanru Li, and Dawu Gu. ‘The Achilles Heel of OAuth: A Multi-Platform Study of OAuth-Based Authentication’. Proceedings of the 32nd Annual Conference on Computer Security Applications, 2016.
Wang, Hui, Yuanyuan Zhang, Juanru Li, Hui Liu, et al. ‘Vulnerability Assessment of OAuth Implementations in Android Applications’. Proceedings of the 31st Annual Computer Security Applications Conference, 2015.
Wang, Yin, et al. Do as You Say: Consistency Detection of Data Practice in Program Code and Privacy Policy in Mini-App. 2023.
Web archive. Extracting WeChat Mini-Apps Using Frida. 2022.
WeChat. Cloud Base. 2023.
---. Cloud Initialization. 2023.
---. code2Session API. 2023.
---. Devtool Stable Version Update Log. 2023.
---. Error Codes Developer Error Codes. 2023.
---. Get Access Token API. 2023.
---. IDE Devtool. 2023.
---. Mini-App Directory Structure. 2023.
---. Mini-App Server Domain Name Information. 2023.
---. Safety Guidelines by WeChat. 2023.
---. Server-Side API Classification. 2023.
---. Server-Side API Classification V2. 2023.
---. Tencent Cloud Hosting. 2023.
---. WeChat. 2023.
Wen, Haohuang, et al. ‘An Empirical Study of SDK Credential Misuse in iOS Apps’. 25th Asia-Pacific Software Engineering Conference (APSEC), 2018.
Wikipedia. Baidu. 2023.
---. ICP License. 2023.
Yang, Wenbo, et al. ‘Security Analysis of Third-Party in-App Payment in Mobile Applications’. Journal of Information Security and Applications, vol. 48, Oct. 2019, p. 102358.
Yang, Yuqing, et al. ‘Cross Miniapp Request Forgery: Root Causes, Attacks, and Vulnerability Detection’. Proceedings of the ACM SIGSAC Conference on Computer and Communications Security, 2022.
Zhang, Jianyi, Leixin Yang, Yuyang Han, et al. ‘A Small Leak Will Sink Many Ships: Vulnerabilities Related to Mini Programs Permissions’. Syposium on Security, Trust, & Privacy in Computing, 2022.
Zhang, Lei, Zhibo Zhang, Ancong Liu, et al. ‘Identity Confusion in Webview-Based Mobile App-in-App Ecosystems’. 31st USENIX Security Symposium, 2022.
Zhang, Yue, Bayan Turkistani, et al. ‘A Measurement Study of Wechat Mini-Apps’. ACM SIGMETRICS Performance Evaluation Review, vol. 5, no. 2, June 2021, pp. 1–25.
Zhang, Yue, Yuqing Yang, et al. ‘Don’t Leak Your Keys: Understanding, Measuring, and Exploiting the AppSecret Leaks in Mini-Programs’. Proceedings of the ACM SIGSAC Conference on Computer and Communications Security, 2023.
Zheng, Jinyang, et al. ‘How Mega Is the Mega? Exploring the Spillover Effects of WeChat Using Graphical Model’. Information Systems Research, vol. 30, no. 4, Dec. 2019, pp. 1343–62.
Repository Staff Only: item control page