SaTS 2023

ACM Workshop on Secure and Trustworthy Superapps (SaTS)

Co-located with ACM CCS 2023 »

November 26th, 2023

Mobile super apps present an emerging paradigm in the realm of mobile computing. These applications, which offer a plethora of services often in the form of “miniapps”, have experienced an accelerated growth trajectory in recent years. Specifically, the miniapps, analogous to native apps, have enabled super apps to construct a comprehensive ecosystem around themselves, akin to Google Play and the Apple App Store. By doing so, they not only enhance the host's functionalities, but also bestow an elevated level of convenience upon mobile users.

Nevertheless, the surging popularity of these apps, such as WeChat, Alipay, TikTok, and Grab, has resulted in an immense volume of user data being generated, stored, and transmitted via these platforms. With their integration of diverse services within a single platform or application, these super apps pose significant security and privacy challenges. This burgeoning issue has caught the attention of not just users, but also researchers and regulatory authorities.

In light of these developments, the Workshop on Secure and Trustworthy Superapps (SaTS 2023), co-located with ACM CCS 2023, is a highly relevant and timely event. Super apps are rapidly becoming indispensable tools for communication, entertainment, and commerce, while simultaneously raising crucial security and privacy issues. By fostering discussion and collaboration among researchers and practitioners, this workshop aims to address these concerns and provide insights and solutions to the security community, industry, and society at large. The objective of SaTS 2023 is to turn the spotlight on these concerns and foster an environment of knowledge exchange and problem-solving.



Important Dates (hard deadline)


Paper Submission Deadline August 10th, 2023 (AoE, UTC-12)
Acceptance Notification September 10th, 2023
Camera-ready Deadline September 20th, 2023 (AoE, UTC-12)
Workshop November 26th, 2023

Tentative SaTS 2023 Program


November 26 (Sunday)



09:00 AM - 09:30 AM | Opening remarks and award
09:30 AM - 10:30 AM | Keynote: Today’s Super-Apps: Security Challenges and Corresponding Paradigms
10:30 AM - 11:00 AM | Coffee break
11:00 AM - 12:00 PM | Session 1: Miniapp Ecosystem and Security Analysis
Systematic Analysis of Security and Vulnerabilities in Miniapps
Yuyang Han, Xu Ji, Zhiqiang Wang and Jianyi Zhang, Beijing Electronic Science and Technology Institute

JSLibD: Reliable and Heuristic Detection of Third-party Libraries
Junjie Tao, Jifei Shi, Ming Fan, Yin Wang, Junfeng Liu and Ting Liu, Xi'an Jiaotong University

MUID: Detecting Sensitive User Inputs in Miniapp Ecosystems
Ziqiang Yan, Ming Fan, Yin Wang, Jifei Shi, Haoran Wang and Ting Liu, Xi'an Jiaotong University
12:00 PM - 01:30 PM | Lunch
01:30 PM - 02:30 PM | Session 2: Security Measures in Miniapp Ecosystem
Towards a Better Super-App Architecture from a Browser Security Perspective
Yue Wang, Yao Yao, Shangcheng Shi, Weiting Chen and Lin Huang, Ant Group

On the Usage-scenario-based Data Minimization in Mini Programs
Shenao Wang, Huazhong University of Science and Technology; Yanjie Zhao, Monash University; Kailong Wang and Haoyu Wang, Huazhong University of Science and Technology

Understanding Dark UI Patterns in the Mobile Ecosystem: A Case Study of Apps in China
Mengyi Long, Yue Xu, Jiangrong Wu, Qihua Ou and Yuhong Nan, Sun Yat-sen University
02:30 PM - 03:00 PM | Coffee break
03:00 PM - 04:20 PM | Session 3: Advanced Vulnerabilities and Challenges in Miniapp Ecosystem
MiniTaintDev: Unveiling Mini-App Vulnerabilities through Dynamic Taint Analysis
Jianjia Yu, Zifeng Kang and Yinzhi Cao, Johns Hopkins University

Shared Account Problem in Super Apps
Yifeng Cai, Ziqi Zhang, Ding Li, Yao Guo and Xiangqun Chen, Key Lab of HCST (PKU), MOE SCS, Peking University

TrustedDomain Compromise Attack in App-in-app Ecosystems
Zhibo Zhang, Zhangyue Zhang, Keke Lian, Guangliang Yang, Lei Zhang, Yuan Zhang and Min Yang, Fudan University

Potential Risks Arising from the Absence of Signature Verification in Miniapp Plugins
Yanjie Zhao, Monash University; Yue Zhang, Drexel University; Haoyu Wang, Huazhong University of Science and Technology
04:20 PM - 05:00 PM | Panel discussion
05:00 PM | Closing remarks

Keynote


Keynote Speaker: HUANG Lin, Ant Group


Abstract:
With the continuous development of Super-App and mini-apps ecosystem, the technical architecture, regulatory requirements, and security solutions of mini-apps are constantly changing. Mini-apps have now been deployed not only on cellphones, but also on electric cars such as Tesla, smart vending machines and handheld POS terminals. Many games based on Unity WebGL engine are also being supported by major Super-Apps. Completely different application scenarios, such as mobile phones and cars, and business types with different security requirements, such as pension bills and games, all need to run smoothly in Super-Apps. This situation poses a very big challenge to security technology.

This talk will introduce the latest technology development trend, regulatory compliance requirements for different business scenarios, supplychain security risks faced by different terminals and operating systems, etc. We will also introduce the various security capabilities implemented by our mini-app RASP (Runtime Application Self-Protection) based on AOS (Aspect Oriented Security), including privacy permission control, threat detection, vulnerability recovery, etc. The security paradigms, NbSP (Non-bypassable Security Paradigm) and OVTP (Operator-Voucher-Traceable Paradigm) are used to guide our security architecture design and security audit.

Bios:
Dr. HUANG Lin is the senior security expert in Ant Group Technology Research Institute. She has rich experience in mobile apps security, IoT security, and wireless security. She also focuses on formal verification and hardware side channel security. She has nearly twenty years of technical research and practical experience in cyber-security, telecommunication, electronic, chipset areas. She is one of the main authors of the wireless security book, "Inside Radio: An Attack and Defense Guide". She was a speaker at BlackHat, DEFCON, and HITB security conferences. Before joining Ant Group, she served as the technical director of Qihoo360 Security Research Institute and the head of the Unicorn Security Team.


Call for Papers

We invite researchers and practitioners to submit original research papers for the inaugural Workshop on Secure and Trustworthy Superapps (SaTS 2023), co-located with ACM CCS 2023. The aim of this workshop is to bring together experts from academia and industry to discuss and address the security and privacy challenges posed by the increasing use of mobile super apps. A mobile super app is a mobile app that hosts and supports other applications (i.e., miniapps), enabling their execution by using the platform's resources (also see W3C MiniApp Standardization White Paper, https://www.w3.org/TR/mini-app-white-paper/). Despite their huge usability gain for users, unique security and privacy challenges are arising. For example, it is challenging for the superapps to soundly manage the miniapps for their access to systems resources and the superapp's resources, nor can prior protection mechanisms in the domains of operating systems, browsers, virtulization directly be used for governing security here. Privacy concerns and questions also arise to keep up with citizen expectation, including but not limiting to data sharing transparency in the context of mobile superapps.

Topics of interest in this workshop include, but are not limited to, the following categories:

In addition, topics of interest include, but are not limited to other emerging paradigms in mobile and ubiquitous computing.

The PC will select a best paper award for work that distinguishes itself in advancing the security and privacy of mobile superapps/miniapps and emerging computing paradigms through novel insights, attacks or defenses.

Submission Instructions

Submitted papers must be in English, unpublished, and must not be currently under review for any other publication. Submissions must be a PDF file in double-column ACM format (see ACM Proceedings Template, using the sigconf style). We accept (1) regular papers with up to 8 pages, (2) short papers or work-in-progress papers with up to 4 pages. The page limits does not include bibliography and well-marked appendices, which can be up to 2 pages long. Note that reviewers are not required to read the appendices or any supplementary material. Authors should not change the font or the margins of the ACM format. The review process is double-blind. All papers must be in Adobe Portable Document Format (PDF) and submitted through the web submission form via HotCRP (submission link below).


Submission Website »

Organization


Steering Committee

Adam Doupe (Arizona State University, USA)

Zhiqiang Lin (The Ohio State University, USA)

Nick Nikiforakis (Stony Brook University)

Ben Stock (CISPA)

Luyi Xing (Indiana University Bloomington, USA)


Program Committee Chairs

Xiaojing Liao (Indiana University Bloomington, USA)

Zhiqiang Lin (The Ohio State University, USA)


Program Committee

Adwait Nadkarni (William & Mary, USA)

Aurore Fass (CISPA)

Benjamin Andow (Google)

Daniel Luo (The Hong Kong Polytechnic University, China)

Juanru Li (Shanghai Jiao Tong University, China)

Lin Huang (Ant Group)

Luyi Xing (Indiana University Bloomington, USA)

Mihai Christodorescu (Google)

Nick Nikiforakis (Stony Brook University, USA)

Omar Alrawi (Georgia Institute of Technology, USA)

Ting Liu (Xi'an Jiaotong University, China)

Wei Meng (The Chinese University of Hong Kong, China)

Yinzhi Cao (Johns Hopkins University, USA)

Yuan Zhang (Fudan University, China)

Yue Zhang (The Ohio State University, USA)

Zubair Shafiq (University of California, Davis, USA)