SaTS 2024

ACM Workshop on Secure and Trustworthy Superapps (SaTS)

Co-located with ACM CCS 2024 »

October 14th, 2024

Mobile super apps present an emerging paradigm in the realm of mobile computing. These applications, which offer a plethora of services often in the form of “miniapps”, have experienced an accelerated growth trajectory in recent years. Specifically, the miniapps, analogous to native apps, have enabled super apps to construct a comprehensive ecosystem around themselves, akin to Google Play and the Apple App Store. By doing so, they not only enhance the host's functionalities, but also bestow an elevated level of convenience upon mobile users.

Nevertheless, the surging popularity of these apps, such as WeChat, Alipay, TikTok, and Grab, has resulted in an immense volume of user data being generated, stored, and transmitted via these platforms. With their integration of diverse services within a single platform or application, these super apps pose significant security and privacy challenges. This burgeoning issue has caught the attention of not just users, but also researchers and regulatory authorities.

In light of these developments, the Workshop on Secure and Trustworthy Superapps (SaTS 2024), co-located with ACM CCS 2024, is a highly relevant and timely event. Super apps are rapidly becoming indispensable tools for communication, entertainment, and commerce, while simultaneously raising crucial security and privacy issues. By fostering discussion and collaboration among researchers and practitioners, this workshop aims to address these concerns and provide insights and solutions to the security community, industry, and society at large. The objective of SaTS 2024 is to turn the spotlight on these concerns and foster an environment of knowledge exchange and problem-solving.




Important Dates (hard deadline)


Paper Submission Deadline July 19th, 2024 (AoE, UTC-12)
Acceptance Notification August 21st, 2024
Camera-ready Deadline September 2nd, 2024 (AoE, UTC-12)
Workshop October 14th, 2024


Tentative SaTS 2024 Program


October 14 (Monday)



09:00 AM - 10:30 AM | Opening Remark and Keynote 1
Speaker: Martin Alvarez-Espinar
Co-Chair of W3C MiniApps WG.
Slides

10:30 AM - 11:00 AM | Morning Coffee Break
11:00 AM - 12:00 PM | Paper Session 1: Emerging Security and Privacy Problems
Detect Counterfeit Mini-apps: A Case Study on WeChat
Xuanfa Deng (Beijing University of Posts and Telecommunications) , Miao Zhang (Beijing University of Posts and Telecommunications) , Xinqi Dong (Beijing University of Posts and Telecommunications) , Xin Hu (CVC Certification & Testing Co., Ltd)

Privacy Policy Compliance in Miniapps: An Analytical Study
Yuyang Han (Beijing Eletronic Science and Technology Institute), Zilong Xiao (Beijing Eletronic Science and Technology Institute), Zhiqiang Wang (Beijing Eletronic Science and Technology Institute) , Jianyi Zhang (Beijing Eletronic Science and Technology Institute)

12:00 PM - 01:30 PM | Lunch
01:30 PM - 02:30 PM | Keynote 2
Speaker: Trent Jaeger
Professor, Director of Center for Research and Education in Cyber Security and Privacy (CRESP) UC Riverside.

02:30 PM - 02:50 PM | Paper Session 2: When Bluetooth Meets Mini-apps
MiniBLE: Exploring Insecure BLE API Usages in Mini-Programs
Zidong Zhang (Simon Fraser University; Shandong University) , Jianqi Du (Shandong University) , Wenrui Diao (Shandong University) , Jianliang Wu (Simon Fraser University)

02:50 PM - 03:30 PM | Afternoon Coffee Break
03:30 PM - 03:50 PM | Paper Session 3: Reemergence of Previously Fixed Security Issues
Resurfacing Vulnerabilities: An Empirical Study on the Reemergence of Previously Patched Security Issues in App-in-App
Yifan Zhang (Indiana University Bloomington) , Yuhui Hong (Indiana University Bloomington) , Luyi Xing Indiana University Bloomington

04:00 PM - 04:55 PM | keynote
Speaker: Zhiqiang Lin
Distinguished Professor of Engineering in the Department of Computer Science and Engineering (CSE), and the Director of Institute for Cybersecurity and Digital Trust (ICDT) at The Ohio State University (OSU).

04:55 PM | Closing Remarks


Keynote


Title: W3C MiniApps: Evolution and Challenges in the Standardization

Keynote Speaker: Martin Alvarez-Espinar, Co-Chair of W3C MiniApps WG.

Abstract:
The remarkable success and increase in popularity of MiniApps, as a hybrid mechanism based on Web technologies and distributed in packages as native applications, have brought more and more services and products based on this light app paradigm into the market. In 2019, when this technology started booming in Asia but was still unknown in Western countries, the W3C community reflected on the need to define standards to maximize interoperability across MiniApp platforms, facilitating developers' coding and distributing their applications through different SuperApps and operating systems. Since 2021, the W3C MiniApps Working Group has designed specifications with the common elements of MiniApps, including packaging format, metadata, lifecycle events and identifiers. These specifications cover the requirements of the most popular MiniApp implementations. Still, the divergence with the Web architecture and the need for more consensus regarding security and privacy protection have delayed the process of standardization. In this talk, we will discuss the evolution of the MiniApp specifications created by the W3C community and the challenges to achieving full convergence to the Web and guaranteeing the secure distribution of applications.

Bio:
Martin Alvarez-Espinar is a co-Chair of W3C MiniApps WG and Head of Web Standards at Europe Standardization and Industry Development Dept. He is also the Head of Web Standards at Huawei European Research Institute.

Title: Deja Vu All Over Again: Access Control in Superapps

Keynote Speaker: Trent Jaeger, A professor in the Computer Science and Engineering Department at the University of California, Riverside.

Abstract:
With the advent of the mobile super app architecture, which enables the deployment of multiple mini apps within a single mobile application, a question is how to deploy the necessary controls over these mini apps to restrict their access to sensitive platform and user data while providing protection for effective execution of mini apps.

At one level, this is a problem that we have been trying to solve as long as there have been multiuser systems, and I will discuss the general problem and how it has been approached in a variety of contexts. On the other hand, mobile systems provide some unique challenges, so I will discuss why those challenges have emerged, how they impact access control systems, and relevant work on those challenges.

Finally, I will discuss the additional challenges that the super app architecture may place on their authorization systems that need to be addressed. The goal of this talk to help researchers avoid “re-inventing the wheel,” where appropriate, to focus on key research challenges for access control in super apps.

Bio:
Trent Jaeger is a Professor in the Computer Science and Engineering Department at the University of California, Riverside. Trent's research interests include systems and software security, and he has published over 175 research papers and is the author of the textbook "Operating Systems Security," which teaches secure operating systems and their major security mechanisms. Trent has made significant security contributions to the Linux kernel, including to the Integrity Measurement Architecture, Linux Security Modules framework, and SELinux. In recent work, he developed Linux kernel support for Intel Processor Trace (Griffin, ASPLOS 2017), security namespaces for Linux container systems (USENIX 2018), and automated privilege separation of Linux device drivers (KSplit, OSDI 2022). He is an ACM Fellow.

Title: The Dark Side of Super Apps: Unmasking the Threats from Miniapp Malware

Keynote Speaker: Zhiqiang Lin, Distinguished Professor of Engineering in the Department of Computer Science and Engineering (CSE), and the Director of Institute for Cybersecurity and Digital Trust (ICDT) at The Ohio State University (OSU).

Abstract:
Since the launch of WeChat's miniapp ecosystem in 2017, the super app paradigm has rapidly gained traction among tech giants like Alipay, Baidu, TikTok, and Zalo. Today, this ecosystem has flourished into a vibrant digital marketplace. With its low development costs and effortless integration capabilities, this paradigm has experienced explosive growth; on WeChat alone, there are now over four million miniapps serving a staggering half a billion users, revolutionizing the way people access digital services.

However, this centralized model has become a prime target for malicious actors aiming to exploit the ecosystem with various malware to gain unauthorized access to personal data, achieve financial gain, or disseminate misinformation and hate speech. Despite super app platforms commonly adopting mandatory vetting mechanisms to thwart malware developers, both parties have been engaged in a continuous cat-and-mouse game, posing significant threats to the trust and security of the platform.

In this keynote, Dr. Lin will delve into the essential nature of miniapp malware, their taxonomy, impacts, and detection methods, drawing from over three years of collecting and identifying these threats. He will also discuss proactive strategies to combat malware, aiming to foster a more secure and trustworthy super app ecosystem.

Bio:
Dr. Zhiqiang Lin is a Distinguished Professor of Engineering and the Director of the Institute for Cybersecurity and Digital Trust (ICDT) at The Ohio State University. His research interests center around systems and software security. He has published over 150 papers, many of which have appeared in top cybersecurity venues. Dr. Lin is an IEEE Fellow, an ACM Distinguished Member, and a recipient of the Harrison Faculty Award for Excellence in Engineering Education, the NSF CAREER Award, the AFOSR Young Investigator Award, and the Outstanding Faculty Teaching Award. He received his Ph.D. in Computer Science from Purdue University.


Call for Papers

We invite researchers and practitioners to submit original research papers for the inaugural Workshop on Secure and Trustworthy Superapps (SaTS 2024), co-located with ACM CCS 2024. The aim of this workshop is to bring together experts from academia and industry to discuss and address the security and privacy challenges posed by the increasing use of mobile super apps. A mobile super app is a mobile app that hosts and supports other applications (i.e., miniapps), enabling their execution by using the platform's resources (also see W3C MiniApp Standardization White Paper, https://www.w3.org/TR/mini-app-white-paper/). Despite their huge usability gain for users, unique security and privacy challenges are arising. For example, it is challenging for the superapps to soundly manage the miniapps for their access to systems resources and the superapp's resources, nor can prior protection mechanisms in the domains of operating systems, browsers, virtulization directly be used for governing security here. Privacy concerns and questions also arise to keep up with citizen expectation, including but not limiting to data sharing transparency in the context of mobile superapps.

Topics of interest in this workshop include, but are not limited to, the following categories:

In addition, topics of interest include, but are not limited to other emerging paradigms in mobile and ubiquitous computing.

The PC will select a best paper award for work that distinguishes itself in advancing the security and privacy of mobile superapps/miniapps and emerging computing paradigms through novel insights, attacks or defenses.


Submission Instructions

Submitted papers must be in English, unpublished, and must not be currently under review for any other publication. Submissions must be a PDF file in double-column ACM format (see ACM Proceedings Template, using the sigconf style). We accept (1) regular papers with up to 8 pages, (2) short papers or work-in-progress papers with up to 4 pages. The page limits does not include bibliography and well-marked appendices, which can be up to 2 pages long. Note that reviewers are not required to read the appendices or any supplementary material. Authors should not change the font or the margins of the ACM format. The review process is double-blind. All papers must be in Adobe Portable Document Format (PDF) and submitted through the web submission form via HotCRP (submission link below).


Submission Website »


Organization


Steering Committee

Adam Doupe (Arizona State University, USA)

Zhiqiang Lin (The Ohio State University, USA)

Nick Nikiforakis (Stony Brook University)

Ben Stock (CISPA)

Luyi Xing (Indiana University Bloomington, USA)


Program Committee Chairs

Zhiqiang Lin (The Ohio State University, USA)

Luyi Xing (Indiana University Bloomington, USA)


Publicity Chair

Yue Xiao (IBM Research)


Program Committee

Adwait Nadkarni (William & Mary, USA)

Aurore Fass (CISPA)

Daniel Luo (The Hong Kong Polytechnic University, China)

Ding Li (Peking University, China)

Haoyu Wang (Huazhong University of Science and Technology (HUST), China)

Jianyi Zhang (Beijing Electronic Science and Technology Institute, China)

Omar Alrawi (Georgia Institute of Technology, USA)

Soteris Demetriou (Imperial College London, England)

Wei You (Renmin University of China, China)

Yanjie Zhao (Monash University, Australia)

Yuan Zhang (Fudan University, China)

Yue Xiao (IBM Research)

Yue Zhang (Drexel University, USA)

Yuhong Nan (Sun Yat-sen University, China)

Kaushal Kafle (University of South Florida, USA)