Conference proceeding
Potential Risks Arising from the Absence of Signature Verification in Miniapp Plugins
Proceedings of the 2023 ACM Workshop on Secure and Trustworthy Superapps, pp 59-64
26 Nov 2023
Abstract
The advent of mobile super apps has given rise to the miniapp paradigm, a lightweight application model that operates within a JavaScript engine hosted by the primary app. Miniapps now have transformed the app ecosystem, offering easy access, install-less functionality, and a wide array of service offerings. However, the integration of plugins, which are functional components added to miniapps, has introduced potential security concerns. While the underlying framework strives to ensure data security between miniapps and their embedded plugins, vulnerabilities may arise if signature verification is neglected in the plugin's implementation. Although Tencent offers developers guidelines for signature integration, this verification isn't pre-packaged, potentially leading less experienced developers to skip it when incorporating plugins, risking security. Specifically, the lack of signature verification in miniapp plugins can create a potential threat, enabling attackers to manipulate transactions and undermine the integrity of the miniapp. This paper explores the communication mechanisms of miniapps, the function of plugins, and the vital role of signature verification in enhancing the security of transactions and data within this rapidly evolving ecosystem.
Metrics
10 Record Views
3 citations in Scopus
Details
- Title
- Potential Risks Arising from the Absence of Signature Verification in Miniapp Plugins
- Creators
- Yanjie Zhao - Monash UniversityYue Zhang - Drexel UniversityHaoyu Wang - Huazhong University of Science and Technology
- Publication Details
- Proceedings of the 2023 ACM Workshop on Secure and Trustworthy Superapps, pp 59-64
- Conference
- CCS '23: ACM SIGSAC Conference on Computer and Communications Security
- Series
- ACM Conferences
- Publisher
- ACM
- Resource Type
- Conference proceeding
- Language
- English
- Academic Unit
- Computer Science (Computing)
- Scopus ID
- 2-s2.0-85179547564
- Other Identifier
- 991021871456904721