{"id":"https://openalex.org/W4411522853","doi":"https://doi.org/10.1145/3728962","title":"Uncovering API-Scope Misalignment in the App-in-App Ecosystem","display_name":"Uncovering API-Scope Misalignment in the App-in-App Ecosystem","publication_year":2025,"publication_date":"2025-06-22","ids":{"openalex":"https://openalex.org/W4411522853","doi":"https://doi.org/10.1145/3728962"},"language":"en","primary_location":{"id":"doi:10.1145/3728962","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3728962","pdf_url":null,"source":{"id":"https://openalex.org/S4404663975","display_name":"Proceedings of the ACM on software engineering.","issn_l":"2994-970X","issn":["2994-970X"],"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/P4310319798","host_organization_name":"Association for Computing Machinery","host_organization_lineage":["https://openalex.org/P4310319798"],"host_organization_lineage_names":["Association for Computing Machinery"],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the ACM on Software Engineering","raw_type":"journal-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":true,"oa_status":"hybrid","oa_url":"https://doi.org/10.1145/3728962","any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5118519855","display_name":"Jiarui Che","orcid":null},"institutions":[{"id":"https://openalex.org/I205237279","display_name":"Nankai University","ror":"https://ror.org/01y1kjr75","country_code":"CN","type":"education","lineage":["https://openalex.org/I205237279"]}],"countries":["CN"],"is_corresponding":true,"raw_author_name":"Jiarui Che","raw_affiliation_strings":["College of Computer Science, Nankai University, Tianjin, China"],"affiliations":[{"raw_affiliation_string":"College of Computer Science, Nankai University, Tianjin, China","institution_ids":["https://openalex.org/I205237279"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5049695954","display_name":"Chenkai Guo","orcid":"https://orcid.org/0000-0003-1510-6548"},"institutions":[{"id":"https://openalex.org/I205237279","display_name":"Nankai University","ror":"https://ror.org/01y1kjr75","country_code":"CN","type":"education","lineage":["https://openalex.org/I205237279"]},{"id":"https://openalex.org/I4210164952","display_name":"Tianjin haihe hospital","ror":"https://ror.org/05m762q77","country_code":"CN","type":"healthcare","lineage":["https://openalex.org/I4210164952"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Chenkai Guo","raw_affiliation_strings":["College of Cryptology and Cyber Science, Nankai University, Tianjin, China","Haihe Lab of ITAI, Tianjin, China"],"affiliations":[{"raw_affiliation_string":"College of Cryptology and Cyber Science, Nankai University, Tianjin, China","institution_ids":["https://openalex.org/I205237279"]},{"raw_affiliation_string":"Haihe Lab of ITAI, Tianjin, China","institution_ids":["https://openalex.org/I4210164952"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5042509488","display_name":"Naipeng Dong","orcid":"https://orcid.org/0000-0002-8248-3362"},"institutions":[{"id":"https://openalex.org/I165143802","display_name":"The University of Queensland","ror":"https://ror.org/00rqy9422","country_code":"AU","type":"education","lineage":["https://openalex.org/I165143802"]}],"countries":["AU"],"is_corresponding":false,"raw_author_name":"Naipeng Dong","raw_affiliation_strings":["School of Electrical Engineering and Computer Science, University of Queensland, Brisbane, Australia"],"affiliations":[{"raw_affiliation_string":"School of Electrical Engineering and Computer Science, University of Queensland, Brisbane, Australia","institution_ids":["https://openalex.org/I165143802"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5108910679","display_name":"Jiaxin Pei","orcid":null},"institutions":[{"id":"https://openalex.org/I205237279","display_name":"Nankai University","ror":"https://ror.org/01y1kjr75","country_code":"CN","type":"education","lineage":["https://openalex.org/I205237279"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Jiaqi Pei","raw_affiliation_strings":["College of Cryptology and Cyber Science, Nankai University, Tianjin, China"],"affiliations":[{"raw_affiliation_string":"College of Cryptology and Cyber Science, Nankai University, Tianjin, China","institution_ids":["https://openalex.org/I205237279"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5102012317","display_name":"Lingling Fan","orcid":"https://orcid.org/0000-0002-2428-9297"},"institutions":[{"id":"https://openalex.org/I205237279","display_name":"Nankai University","ror":"https://ror.org/01y1kjr75","country_code":"CN","type":"education","lineage":["https://openalex.org/I205237279"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Lingling Fan","raw_affiliation_strings":["College of Cryptology and Cyber Science, Nankai University, Tianjin, China"],"affiliations":[{"raw_affiliation_string":"College of Cryptology and Cyber Science, Nankai University, Tianjin, China","institution_ids":["https://openalex.org/I205237279"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5063361900","display_name":"Xichao Mi","orcid":null},"institutions":[{"id":"https://openalex.org/I205237279","display_name":"Nankai University","ror":"https://ror.org/01y1kjr75","country_code":"CN","type":"education","lineage":["https://openalex.org/I205237279"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Xun Mi","raw_affiliation_strings":["College of Cryptology and Cyber Science, Nankai University, Tianjin, China"],"affiliations":[{"raw_affiliation_string":"College of Cryptology and Cyber Science, Nankai University, Tianjin, China","institution_ids":["https://openalex.org/I205237279"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5064899369","display_name":"Xueshuo Xie","orcid":"https://orcid.org/0000-0002-8245-8415"},"institutions":[{"id":"https://openalex.org/I4210164952","display_name":"Tianjin haihe hospital","ror":"https://ror.org/05m762q77","country_code":"CN","type":"healthcare","lineage":["https://openalex.org/I4210164952"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Xueshuo Xie","raw_affiliation_strings":["Haihe Lab of ITAI, Tianjin, China"],"affiliations":[{"raw_affiliation_string":"Haihe Lab of ITAI, Tianjin, China","institution_ids":["https://openalex.org/I4210164952"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5090509213","display_name":"Xiangyang Luo","orcid":"https://orcid.org/0000-0003-3225-4649"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Xiangyang Luo","raw_affiliation_strings":["State Key Laboratory of Mathematical Engineering and Advanced Computing, Zhengzhou, China"],"affiliations":[{"raw_affiliation_string":"State Key Laboratory of Mathematical Engineering and Advanced Computing, Zhengzhou, China","institution_ids":[]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5060212061","display_name":"Zheli Liu","orcid":"https://orcid.org/0000-0002-2984-2661"},"institutions":[{"id":"https://openalex.org/I205237279","display_name":"Nankai University","ror":"https://ror.org/01y1kjr75","country_code":"CN","type":"education","lineage":["https://openalex.org/I205237279"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Zheli Liu","raw_affiliation_strings":["DISSec, College of Cryptology and Cyber Science, Nankai University, Tianjin, China"],"affiliations":[{"raw_affiliation_string":"DISSec, College of Cryptology and Cyber Science, Nankai University, Tianjin, China","institution_ids":["https://openalex.org/I205237279"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5059899281","display_name":"Renhong Cheng","orcid":null},"institutions":[{"id":"https://openalex.org/I205237279","display_name":"Nankai University","ror":"https://ror.org/01y1kjr75","country_code":"CN","type":"education","lineage":["https://openalex.org/I205237279"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Renhong Cheng","raw_affiliation_strings":["College of Computer Science, Nankai University, Tianjin, China"],"affiliations":[{"raw_affiliation_string":"College of Computer Science, Nankai University, Tianjin, China","institution_ids":["https://openalex.org/I205237279"]}]}],"institutions":[],"countries_distinct_count":2,"institutions_distinct_count":10,"corresponding_author_ids":["https://openalex.org/A5118519855"],"corresponding_institution_ids":["https://openalex.org/I205237279"],"apc_list":null,"apc_paid":null,"fwci":0.0,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":{"value":0.16306302,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":null,"biblio":{"volume":"2","issue":"ISSTA","first_page":"1933","last_page":"1954"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":1.0,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":1.0,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10743","display_name":"Software Testing and Debugging Techniques","score":0.9970999956130981,"subfield":{"id":"https://openalex.org/subfields/1712","display_name":"Software"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10260","display_name":"Software Engineering Research","score":0.9944999814033508,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/permission","display_name":"Permission","score":0.8064496517181396},{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.7984085083007812},{"id":"https://openalex.org/keywords/scope","display_name":"Scope (computer science)","score":0.645784854888916},{"id":"https://openalex.org/keywords/world-wide-web","display_name":"World Wide Web","score":0.5733252167701721},{"id":"https://openalex.org/keywords/android","display_name":"Android (operating system)","score":0.5415262579917908},{"id":"https://openalex.org/keywords/application-programming-interface","display_name":"Application programming interface","score":0.49925661087036133},{"id":"https://openalex.org/keywords/java","display_name":"Java","score":0.4972882568836212},{"id":"https://openalex.org/keywords/software-engineering","display_name":"Software engineering","score":0.33908456563949585},{"id":"https://openalex.org/keywords/computer-security","display_name":"Computer security","score":0.32909244298934937},{"id":"https://openalex.org/keywords/operating-system","display_name":"Operating system","score":0.25897789001464844},{"id":"https://openalex.org/keywords/programming-language","display_name":"Programming language","score":0.14480802416801453}],"concepts":[{"id":"https://openalex.org/C2779089604","wikidata":"https://www.wikidata.org/wiki/Q7169333","display_name":"Permission","level":2,"score":0.8064496517181396},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.7984085083007812},{"id":"https://openalex.org/C2778012447","wikidata":"https://www.wikidata.org/wiki/Q1034415","display_name":"Scope (computer science)","level":2,"score":0.645784854888916},{"id":"https://openalex.org/C136764020","wikidata":"https://www.wikidata.org/wiki/Q466","display_name":"World Wide Web","level":1,"score":0.5733252167701721},{"id":"https://openalex.org/C557433098","wikidata":"https://www.wikidata.org/wiki/Q94","display_name":"Android (operating system)","level":2,"score":0.5415262579917908},{"id":"https://openalex.org/C99613125","wikidata":"https://www.wikidata.org/wiki/Q165194","display_name":"Application programming interface","level":2,"score":0.49925661087036133},{"id":"https://openalex.org/C548217200","wikidata":"https://www.wikidata.org/wiki/Q251","display_name":"Java","level":2,"score":0.4972882568836212},{"id":"https://openalex.org/C115903868","wikidata":"https://www.wikidata.org/wiki/Q80993","display_name":"Software engineering","level":1,"score":0.33908456563949585},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.32909244298934937},{"id":"https://openalex.org/C111919701","wikidata":"https://www.wikidata.org/wiki/Q9135","display_name":"Operating system","level":1,"score":0.25897789001464844},{"id":"https://openalex.org/C199360897","wikidata":"https://www.wikidata.org/wiki/Q9143","display_name":"Programming language","level":1,"score":0.14480802416801453},{"id":"https://openalex.org/C17744445","wikidata":"https://www.wikidata.org/wiki/Q36442","display_name":"Political science","level":0,"score":0.0},{"id":"https://openalex.org/C199539241","wikidata":"https://www.wikidata.org/wiki/Q7748","display_name":"Law","level":1,"score":0.0}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1145/3728962","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3728962","pdf_url":null,"source":{"id":"https://openalex.org/S4404663975","display_name":"Proceedings of the ACM on software engineering.","issn_l":"2994-970X","issn":["2994-970X"],"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/P4310319798","host_organization_name":"Association for Computing Machinery","host_organization_lineage":["https://openalex.org/P4310319798"],"host_organization_lineage_names":["Association for Computing Machinery"],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the ACM on Software Engineering","raw_type":"journal-article"}],"best_oa_location":{"id":"doi:10.1145/3728962","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3728962","pdf_url":null,"source":{"id":"https://openalex.org/S4404663975","display_name":"Proceedings of the ACM on software engineering.","issn_l":"2994-970X","issn":["2994-970X"],"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/P4310319798","host_organization_name":"Association for Computing Machinery","host_organization_lineage":["https://openalex.org/P4310319798"],"host_organization_lineage_names":["Association for Computing Machinery"],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the ACM on Software Engineering","raw_type":"journal-article"},"sustainable_development_goals":[{"id":"https://metadata.un.org/sdg/15","display_name":"Life in Land","score":0.4000000059604645}],"awards":[{"id":"https://openalex.org/G4169049969","display_name":null,"funder_award_id":"2022YFB3102900","funder_id":"https://openalex.org/F4320335777","funder_display_name":"National Key Research and Development Program of China"},{"id":"https://openalex.org/G754955252","display_name":null,"funder_award_id":"62002177, 62032012, 62172435","funder_id":"https://openalex.org/F4320321001","funder_display_name":"National Natural Science Foundation of China"}],"funders":[{"id":"https://openalex.org/F4320321001","display_name":"National Natural Science Foundation of China","ror":"https://ror.org/01h0zpd94"},{"id":"https://openalex.org/F4320335777","display_name":"National Key Research and Development Program of China","ror":null}],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":38,"referenced_works":["https://openalex.org/W124941384","https://openalex.org/W2077202047","https://openalex.org/W2154221125","https://openalex.org/W2612281133","https://openalex.org/W2798069878","https://openalex.org/W2808506568","https://openalex.org/W2831080282","https://openalex.org/W2889233250","https://openalex.org/W2891458271","https://openalex.org/W2913553137","https://openalex.org/W2914747005","https://openalex.org/W3097802856","https://openalex.org/W3100026183","https://openalex.org/W3150583396","https://openalex.org/W3174321501","https://openalex.org/W4213153339","https://openalex.org/W4237358558","https://openalex.org/W4244174514","https://openalex.org/W4245611682","https://openalex.org/W4249694857","https://openalex.org/W4254733025","https://openalex.org/W4256084472","https://openalex.org/W4281666641","https://openalex.org/W4281895829","https://openalex.org/W4288099540","https://openalex.org/W4301057909","https://openalex.org/W4308641864","https://openalex.org/W4308643994","https://openalex.org/W4320854935","https://openalex.org/W4381082394","https://openalex.org/W4384155543","https://openalex.org/W4384302769","https://openalex.org/W4388483160","https://openalex.org/W4390721875","https://openalex.org/W4391021716","https://openalex.org/W6673660739","https://openalex.org/W6796699879","https://openalex.org/W6854042519"],"related_works":["https://openalex.org/W2316685381","https://openalex.org/W2056388267","https://openalex.org/W2249350383","https://openalex.org/W2072937473","https://openalex.org/W4210309948","https://openalex.org/W4388923452","https://openalex.org/W3211901564","https://openalex.org/W2786416059","https://openalex.org/W2070518775","https://openalex.org/W609672658"],"abstract_inverted_index":{"The":[0,161],"\"app-in-app\"":[1],"paradigm":[2],"is":[3,66,151],"an":[4,115],"emerging":[5],"trend":[6],"in":[7,101,125,191,215],"mobile":[8],"systems,":[9],"where":[10],"super":[11],"applications":[12],"(short":[13,27],"for":[14,28,68],"superApps)":[15],"such":[16],"as":[17,84,158],"WeChat,":[18],"Baidu,":[19],"TikTok,":[20],"enable":[21],"external":[22],"vendors":[23],"to":[24,49,54,60,83,120,153,170,181],"develop":[25],"mini-programs":[26],"miniApps)":[29],"on":[30,96],"their":[31,43,171],"platforms":[32],"by":[33,136,193,282,286],"providing":[34],"privileged":[35],"APIs.":[36],"To":[37,254],"facilitate":[38],"management,":[39],"superApps":[40,76,127,217],"have":[41],"devised":[42],"specific":[44,55],"permission":[45,73,140],"configuration":[46],"(called":[47],"scope)":[48],"grant":[50],"the":[51,72,92,97,102,122,132,138,143,165,177,188,195,207,222,236,283],"APIs":[52,169,197,214,270],"access":[53],"capabilities":[56],"and":[57,108,128,239,251,261],"resources.":[58],"Adhering":[59],"these":[61],"scopes":[62],"during":[63],"API":[64,156],"implementation":[65],"crucial":[67],"maintaining":[69],"security;":[70],"otherwise,":[71],"management":[74],"of":[75,145,168,206,278],"can":[77],"be":[78],"bypassed\u2014a":[79],"vulnerability":[80,243],"we":[81,90,113,230,274],"refer":[82],"API-scope":[85,98,123,134,179,265,284],"misalignment.":[86,183],"In":[87],"this":[88],"work,":[89],"conduct":[91],"first":[93],"systematic":[94],"study":[95],"misalignment":[99,124,190,285],"issues":[100],"app-in-app":[103],"ecosystems,":[104],"uncovering":[105],"root":[106],"causes":[107],"security":[109,279],"risks.":[110],"More":[111],"importantly,":[112],"developed":[114],"automatic":[116],"tool":[117],"called":[118],"ScopeChecker":[119,130,186,210,257],"detect":[121],"both":[126],"miniApps.":[129],"extracts":[131],"standard":[133,178],"mappings":[135,167,180],"integrating":[137],"Android":[139],"mechanism":[141],"into":[142],"functionalities":[144],"superApps.":[146],"Then,":[147],"LLM-based":[148],"code":[149],"generation":[150],"used":[152],"create":[154],"executable":[155],"snippets":[157],"test":[159,225],"cases.":[160,290],"execution":[162],"results":[163],"reflect":[164],"actual":[166],"scopes,":[172],"which":[173],"are":[174],"compared":[175],"with":[176,198,218,245],"identify":[182],"After":[184],"that,":[185],"verifies":[187],"identified":[189,211],"miniApps":[192],"matching":[194],"misaligned":[196,213,269],"a":[199,228],"tailored":[200],"method-oriented":[201],"abstract":[202],"syntax":[203],"tree":[204],"(MAST)":[205],"target":[208],"miniApp.":[209],"38":[212],"top":[216],"manual":[219],"confirmation,":[220],"outperforming":[221],"state-of-the-art":[223],"miniApp-focused":[224],"methods.":[226],"As":[227],"highlight,":[229],"received":[231],"11":[232],"positive":[233],"responses":[234],"from":[235],"superApp":[237],"developers":[238],"CNVD,":[240],"encompassing":[241],"9":[242],"confirmations":[244],"rewards:":[246],"1":[247,252],"high-risk,":[248],"7":[249],"medium-risk,":[250],"low-risk.":[253],"assess":[255],"prevalence,":[256],"evaluated":[258],"42\ud835\udc58+":[259],"miniApps,":[260],"found":[262],"51%":[263],"had":[264],"misalignment,":[266],"averaging":[267],"1.4":[268],"each.":[271],"At":[272],"last,":[273],"illustrated":[275],"4":[276],"types":[277],"threats":[280],"raised":[281],"analyzing":[287],"real-world":[288],"exploitation":[289]},"counts_by_year":[],"updated_date":"2026-04-09T08:11:56.329763","created_date":"2025-10-10T00:00:00"}