GUI testing wiki

Uncovering and Exploiting Hidden APIs in Mobile Super Apps

3 min read

Context

Mobile applications, particularly those from social media platforms such as WeChat and TikTok, are evolving into “super apps” that offer a wide range of services such as instant messaging and media sharing, e-commerce, e-learning, and e-government. These super apps often provide APIs for developers to create “miniapps” that run within the super app.

  • These APIs should be thoroughly scrutinized for security. Unfortunately, we find that many of them are undocumented and unsecured, potentially allowing miniapps to bypass restrictions and gain higher privileged access.

Contributions

  • super apps may provide hidden undocumented APIs that can be exploited
  • We propose APIScope to systematically identify and classify the hidden APIs in super apps. We evaluate it on 5 super apps

Background

Superapps (eg., TikTok, WeChat) used by billions of users, provide a number of miniapps that enable users to access almost all the daily services without leaving the superapp

1st-part miniapps: provided by the developers of the superapp itself 3rd-part miniapps: created by users themselves

Since both the 1st-part and the 3rd-party miniapps are all built on top of the APIs provided by the super app platform, they used the same set of the APIs

These API have different privileges

  • Eg. privileged APIs like openUrl are present in the 1st-party miniapps. openUrl can open arbitrary URLs, so 3rd-party miniapps cannot use it and must use the wx.request API instead. This ensure that the URLs are checked by the superapp, preventing the loading of malicious content.

Approach

APIScope, a binary analysis tool that leverages both static analysis and dynamic analysis to systematically scrutinize hidden APIs and their privilege in super apps.

  • it takes a super app binary as well as its list of public APIs as input, and identifies the hidden APIs based on the invariants of the functions and interfaces from the public APIs in the super apps using Static API Recognition
  • Next, it dynamically executes the identified APIs to confirm whether they are true APIs, and further classifies them into checked and unchecked based on whether it can only be invoked by the 1st-party miniapps

Results

We focused on the hidden APIs that lack security checks but can access sensitive Android OS resources. We used dynamic analysis techniques

  • WeChat has 39 hidden unchecked APIs (7.77%) that invoke Android APIs protected by permissions
  • WeCom has 40 (6.75%)
  • Baidu has 8 (7.61%)
  • Tiktok has 32 (26.23%)
  • QQ has 38 (12.88%)

Limits

  • Only Android based apps
  • The approach is language-dependent

References

Graph View

Backlinks

  • No backlinks found