TY - GEN
T1 - Demystifying Resource Management Risks in Emerging Mobile App-in-App Ecosystems
AU - Lu, Haoran
AU - Xing, Luyi
AU - Xiao, Yue
AU - Zhang, Yifan
AU - Liao, Xiaojing
AU - Wang, Xiao Feng
AU - Wang, Xueqiang
N1 - We would like to thank our shepherd Yanick Fratantonio and the anonymous reviewers for their insightful comments. This work is supported in part by the NSF CNS-1618493, 1801432, 1838083.
PY - 2020/10/30
Y1 - 2020/10/30
N2 - App-in-app is a new and trending mobile computing paradigm in which native app-like software modules, called sub-apps, are hosted by popular mobile apps such as Wechat, Baidu, TikTok and Chrome, to enrich the host app's functionalities and to form an "all-in-one app"ecosystem. Sub-apps access system resources through the host, and their functionalities come close to regular mobile apps (taking photos, recording voices, banking, shopping, etc.). Less clear, however, is whether the host app, typically a third-party app, is capable of securely managing sub-apps and their access to system resources. In this paper, we report the first systematic study on the resource management in app-in-app systems. Our study reveals high-impact security flaws, which allow the adversary to stealthily escalate privilege (e.g., accessing the camera, photo gallery, microphone, etc.) or acquire sensitive data (e.g., location, passwords of Amazon, Google, etc.). To understand the impacts of those flaws, we developed an analysis tool that automatically assesses 11 popular app-in-app platforms on both Android and iOS. Our results brought to light the prevalence of the security flaws. We further discuss the lessons learned and propose mitigation strategies.
AB - App-in-app is a new and trending mobile computing paradigm in which native app-like software modules, called sub-apps, are hosted by popular mobile apps such as Wechat, Baidu, TikTok and Chrome, to enrich the host app's functionalities and to form an "all-in-one app"ecosystem. Sub-apps access system resources through the host, and their functionalities come close to regular mobile apps (taking photos, recording voices, banking, shopping, etc.). Less clear, however, is whether the host app, typically a third-party app, is capable of securely managing sub-apps and their access to system resources. In this paper, we report the first systematic study on the resource management in app-in-app systems. Our study reveals high-impact security flaws, which allow the adversary to stealthily escalate privilege (e.g., accessing the camera, photo gallery, microphone, etc.) or acquire sensitive data (e.g., location, passwords of Amazon, Google, etc.). To understand the impacts of those flaws, we developed an analysis tool that automatically assesses 11 popular app-in-app platforms on both Android and iOS. Our results brought to light the prevalence of the security flaws. We further discuss the lessons learned and propose mitigation strategies.
KW - access control
KW - app-in-app
KW - permission model
KW - resource management
KW - security analysis
UR - https://www.scopus.com/pages/publications/85096173332
UR - https://www.scopus.com/pages/publications/85096173332#tab=citedBy
U2 - 10.1145/3372297.3417255
DO - 10.1145/3372297.3417255
M3 - Conference contribution
AN - SCOPUS:85096173332
T3 - Proceedings of the ACM Conference on Computer and Communications Security
SP - 569
EP - 585
BT - CCS 2020 - Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security
PB - Association for Computing Machinery
T2 - 27th ACM SIGSAC Conference on Computer and Communications Security, CCS 2020
Y2 - 9 November 2020 through 13 November 2020
ER -