TAINTMINI: Detecting Flow of Sensitive Data in Mini-Programs with Static Taint Analysis
A mini-program is a program running inside mobile super apps such as WECHAT. With the APIs provided by the super apps, it can often access various privacy sensitive data such as location, home addresses, and phone numbers. Unavoidably, these privacy sensitive data can be leaked accidentally by carelessly programmed mini-programs, or intentionally by malicious mini-programs. It is therefore imperative to identify and track the flow of sensitive data in mini-programs for either human analysts or automated tools. Although existing taint analysis is well studied, it is still incapable of tracking the flow of sensitive data in mini-programs due to the unique challenges such as the cross-language, cross-page, and cross mini-program data flows. We have thus addressed these challenges by developing a universal data flow graph based approach that captures these data flows within and also cross mini-programs, and developed a framework TAINTMINI. We have evaluated TAINTMINI with 12,481 mini-programs, and detected 1,271 of them contain sensitive data flows. We have also applied TAINTMINI to automatically detect the privacy leakage colluding mini-programs and identified 230 mini-programs that clearly violate the privacy policy by leaking sensitive information such as location data and phone numbers across mini-programs.
Wed 17 MayDisplayed time zone: Hobart change
15:45 - 17:15 | SE for security 1Technical Track / SEET - Software Engineering Education and Training / Journal-First Papers / SEIS - Software Engineering in Society at Meeting Room 103 Chair(s): Abhik Roychoudhury National University of Singapore | ||
15:45 15mTalk | TAINTMINI: Detecting Flow of Sensitive Data in Mini-Programs with Static Taint Analysis Technical Track Chao Wang , Ronny Ko The Ohio State University, Yue Zhang The Ohio State University, Yuqing Yang The Ohio State University, Zhiqiang Lin The Ohio State University | ||
16:00 15mTalk | AChecker: Statically Detecting Smart Contract Access Control Vulnerabilities Technical Track Asem Ghaleb University of British Columbia, Julia Rubin University of British Columbia, Canada, Karthik Pattabiraman University of British Columbia | ||
16:15 15mTalk | Fine-grained Commit-level Vulnerability Type Prediction By CWE Tree Structure Technical Track Shengyi Pan Zhejiang University, Lingfeng Bao Zhejiang University, Xin Xia Huawei, David Lo Singapore Management University, Shanping Li Zhejiang University Pre-print | ||
16:30 15mPaper | Security Thinking in Online Freelance Software Development SEIS - Software Engineering in Society Irum Rauf The Open University, UK, Marian Petre School of Computing and Communications, The Open University, UK, Thein Tun School of Computing and Communications,The Open University, UK; Simply Business, UK, Tamara Lopez The Open University, Bashar Nuseibeh The Open University, UK; Lero, University of Limerick, Ireland | ||
16:45 7mTalk | Open Science in Software Engineering: A Study on Deep Learning-Based Vulnerability Detection Journal-First Papers Yu Nong Washington State University, Rainy Sharma Washington State University, Wahab Hamou-Lhadj Concordia University, Montreal, Canada, Xiapu Luo The Hong Kong Polytechnic University, Haipeng Cai Washington State University Link to publication DOI Authorizer link Pre-print | ||
16:52 8mTalk | Training for Security: Planning the Use of a SAT in the Development Pipeline of Web Apps SEET - Software Engineering Education and Training Sabato Nocera University of Salerno, Simone Romano University of Salerno, Rita Francese University of Salerno, Giuseppe Scanniello University of Salerno | ||
17:00 15mTalk | VulGen: Realistic Vulnerability Generation Via Pattern Mining and Deep Learning Technical Track Yu Nong Washington State University, Yuzhe Ou University of Texas at Dallas, Michael Pradel University of Stuttgart, Feng Chen University of Texas at Dallas, Haipeng Cai Washington State University Pre-print | ||