Collaborative Research: EAGER: Towards Safeguarding the Emerging Miniapp Paradigm in Mobile Super Apps

合作研究：EAGER：捍卫移动超级应用中新兴的小应用范式

• 批准号: 2330265
• 负责人: Luyi Xing
• 金额: $ 15万
• 依托单位: Indiana University
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2023
• 资助国家: 美国
• 起止时间: 2023-07-01 至 2025-06-30
• 项目状态: 未结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=2330265&HistoricalAwards=false
• 关键词: Collaborative; Research; EAGER; Towards; Safeguarding

The rapidly evolving miniapp paradigm within mobile computing is revolutionizing user engagement with mobile applications. Super apps, functioning as hosts with multiple services, facilitate the installation and operation of miniapps within their platforms, thereby cultivating an ecosystem akin to that of Google Play and Apple App Store. This approach, already adopted by leading social apps like WeChat, TikTok, and SnapChat, greatly enhances user convenience and interactivity. However, alongside these advancements, the miniapp paradigm ushers in distinct security and privacy challenges demanding urgent resolution. As the prevalence of miniapps continues to escalate, the establishment of proper safeguards struggles to keep pace. Existing security policies for managing system resources across modern mobile operating systems (OSs) often exhibit opacity and dispersion, impeding effective isolation of miniapps and concealing complexities inherent to diverse mobile OSs. Additionally, super apps, with their capacity to amass substantial user data from numerous miniapps, frequently avoid recognizing themselves as data controllers. This lack of transparency in data practices generates potential privacy threats and regulatory issues. This proposal aims to take the first step towards systematic understanding and safeguarding of the security and privacy of the emerging miniapp paradigm in mobile super apps. We recognize the pressing concerns related to this paradigm and aim to investigate new security and privacy threats, such as cross-platform support, the design and implementation of miniapp APIs, and the management of sensitive data with respect to access control and security and privacy policies. Our research will also explore innovative techniques for risk assessment and vulnerability detection within the miniapp ecosystem. Moreover, we propose to employ formal methods to rigorously reason about these policies and standardize the design and implementation of the APIs, enabling a more secure and privacy-compliant miniapp ecosystem. Our research is expected to pave the way for the development of practical solutions that can be rapidly adopted by super apps and miniapp developers to tackle the urgent security and privacy challenges in this field.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

移动的计算中快速发展的迷你应用范例正在彻底改变用户对移动的应用的参与。超级应用程序作为具有多种服务的主机，便于在其平台内安装和操作迷你应用程序，从而培养类似于Google Play和Apple App Store的生态系统。这种方法已经被微信、TikTok和SnapChat等领先的社交应用所采用，极大地提高了用户的便利性和互动性。然而，除了这些进步之外，迷你应用程序范式还带来了独特的安全和隐私挑战，需要紧急解决。随着迷你应用程序的流行程度不断升级，建立适当的保障措施很难跟上步伐。用于跨现代移动的操作系统（OS）管理系统资源的现有安全策略通常表现出不透明性和分散性，从而妨碍迷你应用的有效隔离并隐藏不同移动的OS固有的复杂性。此外，超级应用程序能够从众多迷你应用程序中收集大量用户数据，因此经常避免将自己视为数据控制者。数据实践缺乏透明度会产生潜在的隐私威胁和监管问题。该提案旨在迈出第一步，系统地理解和保护移动的超级应用程序中新兴迷你应用程序范式的安全和隐私。我们认识到与这种模式相关的紧迫问题，并旨在调查新的安全和隐私威胁，例如跨平台支持，miniapp API的设计和实现，以及访问控制和安全与隐私政策方面的敏感数据管理。我们的研究还将探索迷你应用生态系统中风险评估和漏洞检测的创新技术。此外，我们建议采用正式的方法来严格推理这些策略，并标准化API的设计和实现，从而实现更安全、更隐私的迷你应用生态系统。我们的研究有望为开发实用的解决方案铺平道路，这些解决方案可以被超级应用和迷你应用开发人员迅速采用，以应对该领域紧迫的安全和隐私挑战。该奖项反映了NSF的法定使命，并通过使用基金会的知识价值和更广泛的影响审查标准进行评估，被认为值得支持。