Files and links (1)
Published, Version of Record (VoR)Open Access via Drexel Libraries Read and Publish Program 2024Open Access (License Unspecified), Restricted
Conference proceeding
RootFree Attacks: Exploiting Mobile Platform's Super Apps From Desktop
ASIA CCS '24: Proceedings of the 19th ACM Asia Conference on Computer and Communications Security, pp 830-842
Jul 2024
Featured in Collection : Research Supported by Drexel Libraries' OA Programs
Abstract
In recent years, there has been a surge in the popularity of mobile super apps, which consolidate a variety of services, including messaging, ride-hailing, and e-commerce, into a single application, eliminating the need to switch between different apps. Originally tailored for mobile usage, super apps like WeChat and WeCom have expanded their reach to desktop platforms, including Windows. However, different operating systems have different threat models (e.g., Windows can directly grant users with root privilege but Android and iOS do not). Therefore, the single super app (including both its host app and miniapps) can face completely different threats in different platforms. In this paper, we systematically study the attacks caused by the discrepancies from different platforms. Specifically, we show that there are at least two classes of attacks, dubbed RootFree attacks, against mobile super apps: layer below that attacks the super apps from privileged software, and layer up that attacks the super apps from the internal malicious miniapps. We have disclosed our attacks and the corresponding vulnerabilities to the host app vendor, and received bug bounties. These vulnerabilities all are ranked as high severity vulnerabilities, and some of them have already been patched.
Metrics
Details
- Title
- RootFree Attacks: Exploiting Mobile Platform's Super Apps From Desktop
- Creators
- Yue Zhang (Corresponding Author) - Drexel University, Computer ScienceChao Wang - The Ohio State UniversityZhiqiang Lin - The Ohio State University
- Publication Details
- ASIA CCS '24: Proceedings of the 19th ACM Asia Conference on Computer and Communications Security, pp 830-842
- Conference
- ASIA CCS '24: 19th ACM Asia Conference on Computer and Communications Security (Singapore, 01 Jul 2024–05 Jul 2024)
- Publisher
- Association for Computing Machinery
- Number of pages
- 13
- Grant note
- NSF: 2330264
We thank the anonymous reviewers for their invaluable feedback. This research was supported in part by NSF award 2330264. Any opinions, findings, and conclusions in this paper are those of the authors only and do not necessarily re.ect the views of NSF.
- Resource Type
- Conference proceeding
- Language
- English
- Academic Unit
- Computer Science
- Web of Science ID
- WOS:001283918100058
- Scopus ID
- 2-s2.0-85199303386
- Other Identifier
- 991021889315404721
InCites Highlights
Data related to this publication, from InCites Benchmarking & Analytics tool:
- Collaboration types
- Domestic collaboration
- Web of Science research areas
- Computer Science, Information Systems
- Computer Science, Interdisciplinary Applications
- Telecommunications