Uncovering and Exploiting Hidden APIs in Mobile Super Apps

by   Chao Wang, et al.

Mobile applications, particularly those from social media platforms such as WeChat and TikTok, are evolving into "super apps" that offer a wide range of services such as instant messaging and media sharing, e-commerce, e-learning, and e-government. These super apps often provide APIs for developers to create "miniapps" that run within the super app. These APIs should have been thoroughly scrutinized for security. Unfortunately, we find that many of them are undocumented and unsecured, potentially allowing miniapps to bypass restrictions and gain higher privileged access. To systematically identify these hidden APIs before they are exploited by attackers, we developed a tool APIScope with both static analysis and dynamic analysis, where static analysis is used to recognize hidden undocumented APIs, and dynamic analysis is used to confirm whether the identified APIs can be invoked by an unprivileged 3rdparty miniapps. We have applied APIScope to five popular super apps (i.e., WeChat, WeCom, Baidu, QQ, and Tiktok) and found that all of them contain hidden APIs, many of which can be exploited due to missing security checks. We have also quantified the hidden APIs that may have security implications by verifying if they have access to resources protected by Android permissions. Furthermore, we demonstrate the potential security hazards by presenting various attack scenarios, including unauthorized access to any web pages, downloading and installing malicious software, and stealing sensitive information. We have reported our findings to the relevant vendors, some of whom have patched the vulnerabilities and rewarded us with bug bounties.


page 1

page 2

page 3

page 4


A Systematic Study of Android Non-SDK (Hidden) Service API Security

Android allows apps to communicate with its system services via system s...

SoK: Decoding the Super App Enigma: The Security Mechanisms, Threats, and Trade-offs in OS-alike Apps

The super app paradigm, exemplified by platforms such as WeChat and AliP...

Measuring the Leakage and Exploitability of Authentication Secrets in Super-apps: The WeChat Case

We conduct a large-scale measurement of developers' insecure practices l...

A First Look at On-device Models in iOS Apps

Powered by the rising popularity of deep learning techniques on smartpho...

Demystifying RCE Vulnerabilities in LLM-Integrated Apps

In recent years, Large Language Models (LLMs) have demonstrated remarkab...

AUSERA: Large-Scale Automated Security Risk Assessment of Global Mobile Banking Apps

Contemporary financial technology (FinTech) that enables cashless mobile...

Spying on the Spy: Security Analysis of Hidden Cameras

Hidden cameras, also called spy cameras, are surveillance tools commonly...

Please sign up or login with your details

Forgot password? Click here to reset