The “app-in-app” paradigm is an emerging trend in mobile systems, where super applications (short for \textit{superApps}) such as \textit{WeChat}, \textit{Baidu}, \textit{TikTok}, enable external vendors to develop mini-programs (short for \textit{miniApps}) on their platforms by providing privileged APIs. To facilitate management, superApps have devised their specific permission configuration (called \textit{scope}) to grant the APIs access to specific capabilities and resources. Adhering to these scopes during API implementation is crucial for maintaining security; otherwise, the permission management of superApps can be bypassed—a vulnerability we refer to as \textit{API-scope misalignment}.

In this work, we conduct the first systematic study on the \textit{API-scope misalignment} issues in the app-in-app ecosystems, uncovering their root causes and security risks. More importantly, we have developed an automatic tool called \textit{ScopeChecker} to accurately detect the API-scope misalignment in both superApps and miniApps. ScopeChecker extracts the standard API-scope mappings by integrating the Android permission mechanism into the functionalities of superApps. Then, LLM-based code generation is used to create executable API snippets as test cases. The execution results are the actual mappings of the APIs to their corresponding scopes, which are then compared with the standard API-scope mappings to identify misalignment. After that, ScopeChecker verifies the identified misalignment in miniApps by matching the misaligned APIs with a tailored method-oriented abstract syntax tree (MAST) of the target miniApp. In the evaluation of top superApps, ScopeChecker successfully identified $38$ misaligned APIs confirmed with careful manual confirmation, achieving exceptional detection accuracy compared to the state-of-the-art miniApp-focused test methods. As a highlight, we received $11$ positive responses from the superApp developers and CNVD, encompassing $9$ vulnerability confirmations with rewards: $1$ high-risk, $7$ medium-risk and $1$ low-risk. To further explore the prevalence of API-scope misalignment in miniApps, ScopeChecker evaluated over $42k$ real-world miniApps, where $51%$ are identified to have API-scope misalignment, with an average of $1.4$ misaligned APIs per miniApp. At last, we illustrated 4 types of security threats raised by the API-scope misalignment by analyzing real-world exploitation cases.

The materials of ScopeChecker are available at https://github.com/an-luckydog/ScopeChecker.