Saved in:
| Main Authors: | , , , , , , , , , , |
|---|---|
| Format: | Preprint |
| Published: |
2025
|
| Subjects: | |
| Online Access: | https://arxiv.org/abs/2503.10239 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| _version_ | 1866916651784470528 |
|---|---|
| author | Cai, Yifeng Zhang, Ziqi Yao, Mengyu Liu, Junlin Zhao, Xiaoke Fu, Xinyi Li, Ruoyu Li, Zhe Chen, Xiangqun Guo, Yao Li, Ding |
| author_facet | Cai, Yifeng Zhang, Ziqi Yao, Mengyu Liu, Junlin Zhao, Xiaoke Fu, Xinyi Li, Ruoyu Li, Zhe Chen, Xiangqun Guo, Yao Li, Ding |
| contents | Super-apps have emerged as comprehensive platforms integrating various mini-apps to provide diverse services. While super-apps offer convenience and enriched functionality, they can introduce new privacy risks. This paper reveals a new privacy leakage source in super-apps: mini-app interaction history, including mini-app usage history (Mini-H) and operation history (Op-H). Mini-H refers to the history of mini-apps accessed by users, such as their frequency and categories. Op-H captures user interactions within mini-apps, including button clicks, bar drags, and image views. Super-apps can naturally collect these data without instrumentation due to the web-based feature of mini-apps. We identify these data types as novel and unexplored privacy risks through a literature review of 30 papers and an empirical analysis of 31 super-apps. We design a mini-app interaction history-oriented inference attack (THEFT), to exploit this new vulnerability. Using THEFT, the insider threats within the low-privilege business department of the super-app vendor acting as the adversary can achieve more than 95.5% accuracy in inferring privacy attributes of over 16.1% of users. THEFT only requires a small training dataset of 200 users from public breached databases on the Internet. We also engage with super-app vendors and a standards association to increase industry awareness and commitment to protect this data. Our contributions are significant in identifying overlooked privacy risks, demonstrating the effectiveness of a new attack, and influencing industry practices toward better privacy protection in the super-app ecosystem. |
| format | Preprint |
| id |
arxiv_https___arxiv_org_abs_2503_10239 |
| institution | arXiv |
| publishDate | 2025 |
| record_format | arxiv |
| spellingShingle | I Can Tell Your Secrets: Inferring Privacy Attributes from Mini-app Interaction History in Super-apps Cai, Yifeng Zhang, Ziqi Yao, Mengyu Liu, Junlin Zhao, Xiaoke Fu, Xinyi Li, Ruoyu Li, Zhe Chen, Xiangqun Guo, Yao Li, Ding Cryptography and Security Super-apps have emerged as comprehensive platforms integrating various mini-apps to provide diverse services. While super-apps offer convenience and enriched functionality, they can introduce new privacy risks. This paper reveals a new privacy leakage source in super-apps: mini-app interaction history, including mini-app usage history (Mini-H) and operation history (Op-H). Mini-H refers to the history of mini-apps accessed by users, such as their frequency and categories. Op-H captures user interactions within mini-apps, including button clicks, bar drags, and image views. Super-apps can naturally collect these data without instrumentation due to the web-based feature of mini-apps. We identify these data types as novel and unexplored privacy risks through a literature review of 30 papers and an empirical analysis of 31 super-apps. We design a mini-app interaction history-oriented inference attack (THEFT), to exploit this new vulnerability. Using THEFT, the insider threats within the low-privilege business department of the super-app vendor acting as the adversary can achieve more than 95.5% accuracy in inferring privacy attributes of over 16.1% of users. THEFT only requires a small training dataset of 200 users from public breached databases on the Internet. We also engage with super-app vendors and a standards association to increase industry awareness and commitment to protect this data. Our contributions are significant in identifying overlooked privacy risks, demonstrating the effectiveness of a new attack, and influencing industry practices toward better privacy protection in the super-app ecosystem. |
| title | I Can Tell Your Secrets: Inferring Privacy Attributes from Mini-app Interaction History in Super-apps |
| topic | Cryptography and Security |
| url | https://arxiv.org/abs/2503.10239 |