TAINTMINI: Detecting Flow of Sensitive Data in Mini-Programs with Static Taint Analysis

被引:7
|
作者
Wang, Chao [1 ]
Ko, Ronny [1 ]
Zhang, Yue [1 ]
Yang, Yuqing [1 ]
Lin, Zhiqiang [1 ]
机构
[1] Ohio State Univ, Columbus, OH 43210 USA
来源
2023 IEEE/ACM 45TH INTERNATIONAL CONFERENCE ON SOFTWARE ENGINEERING, ICSE | 2023年
关键词
Mini-programs; Taint analysis; Privacy leaks detection; Security; Empirical Study;
D O I
10.1109/ICSE48619.2023.00086
中图分类号
TP31 [计算机软件];
学科分类号
081202 ; 0835 ;
摘要
Mini-programs, which are programs running inside mobile super apps such as WeChat, often have access to privacy-sensitive information, such as location data and phone numbers, through APIs provided by the super apps. This access poses a risk of privacy sensitive data leaks, either accidentally from carelessly programmed mini-programs or intentionally from malicious ones. To address this concern, it is crucial to track the flow of sensitive data in mini-programs for either human analysis or automated tools. Although existing taint analysis techniques have been widely studied, they face unique challenges in tracking sensitive data flows in mini-programs, such as cross-language, cross-page, and cross-mini-program data flows. This paper presents a novel framework, TAINTMINI, which addresses these challenges by using a novel universal data flow graph approach that captures data flows within and across mini-programs. We have evaluated TAINTMINI with 238,866 mini-programs and detect 27,184 that contain sensitive data flows. We have also applied TAINTMINI to detect privacy leakage colluding mini-programs and identify 455 such programs from them that clearly violate privacy policy.
引用
收藏
页码:932 / 944
页数:13
相关论文
empty
未找到相关数据