On the Usage-scenario-based Data Minimization in Mini Programs
Pages 29 - 32
Abstract
Mini programs, or MiniApps, have become prevalent in the digital landscape, offering convenience but raising privacy concerns, particularly in data minimization. Existing coarse-grained privacy measures fall short in ensuring effective data minimization due to the complex structure of MiniApps and the specificities of data usage scenarios. This work proposes an innovative end-to-end hybrid analysis framework, comprising three key modules, to analyze fine-grained usage-scenario-based data minimization within MiniApps. The framework constructs the page-transition structure, aligns data collection with specific purposes, and detects violations of data minimization principles. We also outline our plan to evaluate the framework through a large-scale study involving 120K MiniApps. This research represents a significant advancement in the pursuit of responsible data practices within MiniApps, contributing to the broader field of computer science and digital security.
References
[1]
Benjamin Andow, Samin Yaseer Mahmud, Justin Whitaker, William Enck, Bradley Reaves, Kapil Singh, and Serge Egelman. 2020. Actions speak louder than words:$$Entity-Sensitive$$ privacy policy and data flow analysis with $$PoliCheck$$. In 29th USENIX Security Symposium (USENIX Security 20). 985--1002.
[2]
023)]% baskaran2023measuring, Supraja Baskaran, Lianying Zhao, Mohammad Mannan, and Amr Youssef. 2023. Measuring the Leakage and Exploitability of Authentication Secrets in Super-apps: The WeChat Case. arXiv preprint arXiv:2307.09317 (2023).
[3]
021)]% bui2021consistency, Duc Bui, Yuan Yao, Kang G Shin, Jong-Min Choi, and Junbum Shin. 2021. Consistency analysis of data-usage purposes in mobile apps. In Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security. 2824--2843.
[4]
Wei Li, Borui Yang, Hangyu Ye, Liyao Xiang, Qingxiao Tao, Xinbing Wang, and Chenghu Zhou. 2023. MiniTracker: Large-Scale Sensitive Information Tracking in Mini Apps. IEEE Transactions on Dependable and Secure Computing (2023).
[5]
Yuxi Ling, Kailong Wang, Guangdong Bai, Haoyu Wang, and Jin Song Dong. 2022. Are they toeing the line? diagnosing privacy compliance violations among browser extensions. In Proceedings of the 37th IEEE/ACM International Conference on Automated Software Engineering. 1--12.
[6]
Yi Liu, Jinhui Xie, Jianbo Yang, Shiyu Guo, Yuetang Deng, Shuqing Li, Yechang Wu, and Yepang Liu. 2020. Industry practice of javascript dynamic analysis on wechat mini-programs. In Proceedings of the 35th IEEE/ACM International Conference on Automated Software Engineering. 1189--1193.
[7]
Haoran Lu, Luyi Xing, Yue Xiao, Yifan Zhang, Xiaojing Liao, XiaoFeng Wang, and Xueqiang Wang. 2020. Demystifying resource management risks in emerging mobile app-in-app ecosystems. In Proceedings of the 2020 ACM SIGSAC conference on computer and communications Security. 569--585.
[8]
Shi Meng, Liu Wang, Shenao Wang, Kailong Wang, Xusheng Xiao, Guangdong Bai, and Haoyu Wang. 2023. WeMinT: Tainting Sensitive Data Leaks in WeChat Mini-Programs. In Proceedings of the 38th IEEE/ACM International Conference on Automated Software Engineering. IEEE.
[9]
Faysal Hossain Shezan, Zihao Su, Mingqing Kang, Nicholas Phair, Patrick William Thomas, Michelangelo van Dam, Yinzhi Cao, and Yuan Tian. 2023. CHKPLUG: Checking GDPR Compliance of WordPress Plugins via Cross-language Code Property Graph. In NDSS.
[10]
Chao Wang, Ronny Ko, Yue Zhang, Yuqing Yang, and Zhiqiang Lin. 2023 b. Taintmini: Detecting flow of sensitive data in mini-programs with static taint analysis. In 2023 IEEE/ACM 45th International Conference on Software Engineering (ICSE). IEEE, 932--944.
[11]
Chao Wang, Yue Zhang, and Zhiqiang Lin. 2023 c. Uncovering and Exploiting Hidden APIs in Mobile Super Apps. arXiv preprint arXiv:2306.08134 (2023).
[12]
Tao Wang, Qingxin Xu, Xiaoning Chang, Wensheng Dou, Jiaxin Zhu, Jinhui Xie, Yuetang Deng, Jianbo Yang, Jiaheng Yang, Jun Wei, et al. 2022. Characterizing and detecting bugs in WeChat mini-programs. In Proceedings of the 44th International Conference on Software Engineering. 363--375.
[13]
Yin Wang, Ming Fan, Junfeng Liu, Junjie Tao, Wuxia Jin, Qi Xiong, Yuhao Liu, Qinghua Zheng, and Ting Liu. 2023 a. Do as You Say: Consistency Detection of Data Practice in Program Code and Privacy Policy in Mini-App. arXiv preprint arXiv:2302.13860 (2023).
[14]
Yuqing Yang, Chao Wang, Yue Zhang, and Zhiqiang Lin. 2023. SoK: Decoding the Super App Enigma: The Security Mechanisms, Threats, and Trade-offs in OS-alike Apps. arXiv preprint arXiv:2306.07495 (2023).
[15]
Yuqing Yang, Yue Zhang, and Zhiqiang Lin. 2022. Cross Miniapp Request Forgery: Root Causes, Attacks, and Vulnerability Detection. In Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security. 3079--3092.
[16]
Jianyi Zhang, Leixin Yang, Yuyang Han, Zixiao Xiang, and Xiali Hei. 2023 c. A Small Leak Will Sink Many Ships: Vulnerabilities Related to mini-programs Permissions. In 2023 IEEE 47th Annual Computers, Software, and Applications Conference (COMPSAC). IEEE, 595--606.
[17]
Lei Zhang, Zhibo Zhang, Ancong Liu, Yinzhi Cao, Xiaohan Zhang, Yanjun Chen, Yuan Zhang, Guangliang Yang, and Min Yang. 2022. Identity Confusion in $$WebView-based$$ Mobile App-in-app Ecosystems. In 31st USENIX Security Symposium (USENIX Security 22). 1597--1613.
[18]
Xiaohan Zhang, Yang Wang, Xin Zhang, Ziqi Huang, Lei Zhang, and Min Yang. 2023 a. Understanding Privacy Over-collection in WeChat Sub-app Ecosystem. arXiv preprint arXiv:2306.08391 (2023).
[19]
Yue Zhang, Bayan Turkistani, Allen Yuqing Yang, Chaoshun Zuo, and Zhiqiang Lin. 2021. A measurement study of wechat mini-apps. ACM SIGMETRICS Performance Evaluation Review, Vol. 49, 1 (2021), 19--20.
[20]
Yue Zhang, Yuqing Yang, and Zhiqiang Lin. 2023 b. Don't Leak Your Keys: Understanding, Measuring, and Exploiting the AppSecret Leaks in Mini-Programs. arXiv preprint arXiv:2306.08151 (2023).
Index Terms
- On the Usage-scenario-based Data Minimization in Mini Programs
Recommendations
Demo: Data Minimization and Informed Consent in Administrative Forms
CCS '23: Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications SecurityThis article proposes a demonstration implementing the data minimization privacy principle, focusing on reducing data collected by government administrations through forms. Data minimization is defined in many privacy regulations worldwide, but has not ...
Distributed Data Minimization for Decentralized Collaborative Filtering Systems
ICDCN '23: Proceedings of the 24th International Conference on Distributed Computing and NetworkingData minimization is a legal principle that mandates the limitation of personal data to a necessary minimum in order to protect the privacy of individuals. In this light, we address ourselves to decentralized collaborative filtering systems in which ...
TaintMini: Detecting Flow of Sensitive Data in Mini-Programs with Static Taint Analysis
ICSE '23: Proceedings of the 45th International Conference on Software EngineeringMini-programs, which are programs running inside mobile super apps such as WeChat, often have access to privacy-sensitive information, such as location data and phone numbers, through APIs provided by the super apps. This access poses a risk of ...
Comments
Information & Contributors
Information
Published In
November 2023
70 pages
Copyright © 2023 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 26 November 2023
Check for updates
Author Tags
Qualifiers
- Research-article
Funding Sources
- Knowledge Innovation Program of Wuhan-Basic Research
- National Key R&D Program of China
- National Natural Science Foundation of China
Conference
CCS '23
Sponsor:
CCS '23: ACM SIGSAC Conference on Computer and Communications Security
November 26, 2023
Copenhagen, Denmark
Upcoming Conference
CCS '24
- Sponsor:
- sigsac
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 96Total Downloads
- Downloads (Last 12 months)96
- Downloads (Last 6 weeks)5
Reflects downloads up to 30 Aug 2024
Other Metrics
Citations
View Options
Get Access
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in