{"id":"https://openalex.org/W4388858806","doi":"https://doi.org/10.1145/3576915.3616676","title":"Uncovering and Exploiting Hidden APIs in Mobile Super Apps","display_name":"Uncovering and Exploiting Hidden APIs in Mobile Super Apps","publication_year":2023,"publication_date":"2023-11-15","ids":{"openalex":"https://openalex.org/W4388858806","doi":"https://doi.org/10.1145/3576915.3616676"},"language":"en","primary_location":{"id":"doi:10.1145/3576915.3616676","is_oa":false,"landing_page_url":"https://doi.org/10.1145/3576915.3616676","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":false,"oa_status":"closed","oa_url":null,"any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5103133996","display_name":"Chao Wang","orcid":"https://orcid.org/0000-0002-3310-4258"},"institutions":[{"id":"https://openalex.org/I52357470","display_name":"The Ohio State University","ror":"https://ror.org/00rs6vg23","country_code":"US","type":"education","lineage":["https://openalex.org/I52357470"]}],"countries":["US"],"is_corresponding":true,"raw_author_name":"Chao Wang","raw_affiliation_strings":["The Ohio State University, Columbus, OH, USA"],"affiliations":[{"raw_affiliation_string":"The Ohio State University, Columbus, OH, USA","institution_ids":["https://openalex.org/I52357470"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5100333755","display_name":"Yue Zhang","orcid":"https://orcid.org/0000-0002-7786-0231"},"institutions":[{"id":"https://openalex.org/I52357470","display_name":"The Ohio State University","ror":"https://ror.org/00rs6vg23","country_code":"US","type":"education","lineage":["https://openalex.org/I52357470"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Yue Zhang","raw_affiliation_strings":["The Ohio State University, Columbus, OH, USA"],"affiliations":[{"raw_affiliation_string":"The Ohio State University, Columbus, OH, USA","institution_ids":["https://openalex.org/I52357470"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5026864098","display_name":"Zhiqiang Lin","orcid":"https://orcid.org/0000-0001-6527-5994"},"institutions":[{"id":"https://openalex.org/I52357470","display_name":"The Ohio State University","ror":"https://ror.org/00rs6vg23","country_code":"US","type":"education","lineage":["https://openalex.org/I52357470"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Zhiqiang Lin","raw_affiliation_strings":["The Ohio State University, Columbus, OH, USA"],"affiliations":[{"raw_affiliation_string":"The Ohio State University, Columbus, OH, USA","institution_ids":["https://openalex.org/I52357470"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":3,"corresponding_author_ids":["https://openalex.org/A5103133996"],"corresponding_institution_ids":["https://openalex.org/I52357470"],"apc_list":null,"apc_paid":null,"fwci":2.2365,"has_fulltext":false,"cited_by_count":11,"citation_normalized_percentile":{"value":0.89153158,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":{"min":96,"max":98},"biblio":{"volume":null,"issue":null,"first_page":"2471","last_page":"2485"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9988999962806702,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9988999962806702,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11045","display_name":"Privacy, Security, and Data Protection","score":0.9894000291824341,"subfield":{"id":"https://openalex.org/subfields/3312","display_name":"Sociology and Political Science"},"field":{"id":"https://openalex.org/fields/33","display_name":"Social Sciences"},"domain":{"id":"https://openalex.org/domains/2","display_name":"Social Sciences"}},{"id":"https://openalex.org/T11598","display_name":"Internet Traffic Analysis and Secure E-voting","score":0.9891999959945679,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/android","display_name":"Android (operating system)","score":0.7462188005447388},{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.7096160650253296},{"id":"https://openalex.org/keywords/upload","display_name":"Upload","score":0.6658906936645508},{"id":"https://openalex.org/keywords/computer-security","display_name":"Computer security","score":0.653796374797821},{"id":"https://openalex.org/keywords/malware","display_name":"Malware","score":0.6394462585449219},{"id":"https://openalex.org/keywords/world-wide-web","display_name":"World Wide Web","score":0.5335619449615479},{"id":"https://openalex.org/keywords/social-media","display_name":"Social media","score":0.4842762351036072},{"id":"https://openalex.org/keywords/application-programming-interface","display_name":"Application programming interface","score":0.4799478352069855},{"id":"https://openalex.org/keywords/threat-model","display_name":"Threat model","score":0.4234934151172638},{"id":"https://openalex.org/keywords/internet-privacy","display_name":"Internet privacy","score":0.4233258068561554},{"id":"https://openalex.org/keywords/botnet","display_name":"Botnet","score":0.42110005021095276},{"id":"https://openalex.org/keywords/the-internet","display_name":"The Internet","score":0.14534243941307068},{"id":"https://openalex.org/keywords/operating-system","display_name":"Operating system","score":0.11988711357116699}],"concepts":[{"id":"https://openalex.org/C557433098","wikidata":"https://www.wikidata.org/wiki/Q94","display_name":"Android (operating system)","level":2,"score":0.7462188005447388},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.7096160650253296},{"id":"https://openalex.org/C71901391","wikidata":"https://www.wikidata.org/wiki/Q7126699","display_name":"Upload","level":2,"score":0.6658906936645508},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.653796374797821},{"id":"https://openalex.org/C541664917","wikidata":"https://www.wikidata.org/wiki/Q14001","display_name":"Malware","level":2,"score":0.6394462585449219},{"id":"https://openalex.org/C136764020","wikidata":"https://www.wikidata.org/wiki/Q466","display_name":"World Wide Web","level":1,"score":0.5335619449615479},{"id":"https://openalex.org/C518677369","wikidata":"https://www.wikidata.org/wiki/Q202833","display_name":"Social media","level":2,"score":0.4842762351036072},{"id":"https://openalex.org/C99613125","wikidata":"https://www.wikidata.org/wiki/Q165194","display_name":"Application programming interface","level":2,"score":0.4799478352069855},{"id":"https://openalex.org/C140547941","wikidata":"https://www.wikidata.org/wiki/Q7797194","display_name":"Threat model","level":2,"score":0.4234934151172638},{"id":"https://openalex.org/C108827166","wikidata":"https://www.wikidata.org/wiki/Q175975","display_name":"Internet privacy","level":1,"score":0.4233258068561554},{"id":"https://openalex.org/C22735295","wikidata":"https://www.wikidata.org/wiki/Q317671","display_name":"Botnet","level":3,"score":0.42110005021095276},{"id":"https://openalex.org/C110875604","wikidata":"https://www.wikidata.org/wiki/Q75","display_name":"The Internet","level":2,"score":0.14534243941307068},{"id":"https://openalex.org/C111919701","wikidata":"https://www.wikidata.org/wiki/Q9135","display_name":"Operating system","level":1,"score":0.11988711357116699}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1145/3576915.3616676","is_oa":false,"landing_page_url":"https://doi.org/10.1145/3576915.3616676","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security","raw_type":"proceedings-article"}],"best_oa_location":null,"sustainable_development_goals":[{"score":0.6499999761581421,"display_name":"Peace, Justice and strong institutions","id":"https://metadata.un.org/sdg/16"}],"awards":[{"id":"https://openalex.org/G5891408935","display_name":null,"funder_award_id":"2330264","funder_id":"https://openalex.org/F4320306076","funder_display_name":"National Science Foundation"}],"funders":[{"id":"https://openalex.org/F4320306076","display_name":"National Science Foundation","ror":"https://ror.org/021nxhr62"}],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":21,"referenced_works":["https://openalex.org/W1499965119","https://openalex.org/W1987647365","https://openalex.org/W2140095007","https://openalex.org/W2150332791","https://openalex.org/W2165269684","https://openalex.org/W2509304370","https://openalex.org/W2609787968","https://openalex.org/W2764029594","https://openalex.org/W2912568927","https://openalex.org/W3007553983","https://openalex.org/W3096815718","https://openalex.org/W3097802856","https://openalex.org/W3107473573","https://openalex.org/W4308391531","https://openalex.org/W4380687292","https://openalex.org/W4384302769","https://openalex.org/W4384811674","https://openalex.org/W6641013258","https://openalex.org/W6765745485","https://openalex.org/W6797170146","https://openalex.org/W6803990085"],"related_works":["https://openalex.org/W2294483539","https://openalex.org/W2378449000","https://openalex.org/W3187581118","https://openalex.org/W2929621094","https://openalex.org/W1996006176","https://openalex.org/W4285325964","https://openalex.org/W2380730281","https://openalex.org/W2761623801","https://openalex.org/W2351528581","https://openalex.org/W1635909507"],"abstract_inverted_index":{"Mobile":[0],"applications,":[1],"particularly":[2],"those":[3],"from":[4],"social":[5],"media":[6,30],"platforms":[7],"such":[8,25],"as":[9,26],"WeChat":[10],"and":[11,29,34,71,79,106,119,152,154,218,222,242],"TikTok,":[12],"are":[13,69,92],"evolving":[14],"into":[15],"\"super":[16],"apps\"":[17],"that":[18,47,65,156,181],"offer":[19],"a":[20,99],"wide":[21],"range":[22],"of":[23,67,158,164,236],"services":[24],"instant":[27],"messaging":[28],"sharing,":[31],"e-commerce,":[32],"e-learning,":[33],"e-government.":[35],"These":[36,53],"super":[37,51,145],"apps":[38,146],"often":[39],"provide":[40],"APIs":[41,54,89,129,180],"for":[42,60],"developers":[43],"to":[44,76,114,124,142,170,192,213,231],"create":[45],"\"miniapps\"":[46],"run":[48],"within":[49],"the":[50,127,178,201,232,240],"app.":[52],"should":[55],"have":[56,97,139,175,183,190,227,238],"been":[57],"thoroughly":[58],"scrutinized":[59],"security.":[61],"Unfortunately,":[62],"we":[63,96,199],"find":[64],"many":[66,163],"them":[68,159],"undocumented":[70,117],"unsecured,":[72],"potentially":[73],"allowing":[74],"miniapps":[75],"bypass":[77],"restrictions":[78],"gain":[80],"higher":[81],"privileged":[82],"access.":[83],"To":[84],"systematically":[85],"identify":[86],"these":[87],"hidden":[88,116,161,179],"before":[90],"they":[91,189],"exploited":[93,168],"by":[94,133,186,195,205],"attackers,":[95],"developed":[98],"tool":[100],"APIScope":[101,141],"with":[102,245],"both":[103],"static":[104,110],"analysis":[105,111,121],"dynamic":[107,120],"analysis,":[108],"where":[109],"is":[112,122],"used":[113,123],"recognize":[115],"APIs,":[118,162],"confirm":[125],"whether":[126],"identified":[128],"can":[130,166],"be":[131,167],"invoked":[132],"an":[134],"unprivileged":[135],"3rd-party":[136],"miniapps.":[137],"We":[138,174,226],"applied":[140],"five":[143],"popular":[144],"(i.e.,":[147],"WeChat,":[148],"WeCom,":[149],"Baidu,":[150],"QQ,":[151],"Tiktok)":[153],"found":[155],"all":[157],"contain":[160],"which":[165],"due":[169],"missing":[171],"security":[172,184,203],"checks.":[173],"also":[176],"quantified":[177],"may":[182],"implications":[185],"verifying":[187],"if":[188],"access":[191,212],"resources":[193],"protected":[194],"Android":[196],"permissions.":[197],"Furthermore,":[198],"demonstrate":[200],"potential":[202],"hazards":[204],"presenting":[206],"various":[207],"attack":[208],"scenarios,":[209],"including":[210],"unauthorized":[211],"any":[214],"web":[215],"pages,":[216],"downloading":[217],"installing":[219],"malicious":[220],"software,":[221],"stealing":[223],"sensitive":[224],"information.":[225],"reported":[228],"our":[229],"findings":[230],"relevant":[233],"vendors,":[234],"some":[235],"whom":[237],"patched":[239],"vulnerabilities":[241],"rewarded":[243],"us":[244],"bug":[246],"bounties.":[247]},"counts_by_year":[{"year":2025,"cited_by_count":5},{"year":2024,"cited_by_count":3},{"year":2023,"cited_by_count":3}],"updated_date":"2025-11-06T03:46:38.306776","created_date":"2025-10-10T00:00:00"}