ResearchTrend.AI
46
0

I Can Tell Your Secrets: Inferring Privacy Attributes from Mini-app Interaction History in Super-apps

Y. Cai
Ziqi Zhang
Mengyu Yao
Junlin Liu
Xiaoke Zhao
Xinyi Fu
Ruoyu Li
Zhe Li
Xiangqun Chen
Yao Guo
Ding Li
ArXivPDFHTML
Abstract

Super-apps have emerged as comprehensive platforms integrating various mini-apps to provide diverse services. While super-apps offer convenience and enriched functionality, they can introduce new privacy risks. This paper reveals a new privacy leakage source in super-apps: mini-app interaction history, including mini-app usage history (Mini-H) and operation history (Op-H). Mini-H refers to the history of mini-apps accessed by users, such as their frequency and categories. Op-H captures user interactions within mini-apps, including button clicks, bar drags, and image views. Super-apps can naturally collect these data without instrumentation due to the web-based feature of mini-apps. We identify these data types as novel and unexplored privacy risks through a literature review of 30 papers and an empirical analysis of 31 super-apps. We design a mini-app interaction history-oriented inference attack (THEFT), to exploit this new vulnerability. Using THEFT, the insider threats within the low-privilege business department of the super-app vendor acting as the adversary can achieve more than 95.5% accuracy in inferring privacy attributes of over 16.1% of users. THEFT only requires a small training dataset of 200 users from public breached databases on the Internet. We also engage with super-app vendors and a standards association to increase industry awareness and commitment to protect this data. Our contributions are significant in identifying overlooked privacy risks, demonstrating the effectiveness of a new attack, and influencing industry practices toward better privacy protection in the super-app ecosystem.

View on arXiv
@article{cai2025_2503.10239,
  title={ I Can Tell Your Secrets: Inferring Privacy Attributes from Mini-app Interaction History in Super-apps },
  author={ Yifeng Cai and Ziqi Zhang and Mengyu Yao and Junlin Liu and Xiaoke Zhao and Xinyi Fu and Ruoyu Li and Zhe Li and Xiangqun Chen and Yao Guo and Ding Li },
  journal={arXiv preprint arXiv:2503.10239},
  year={ 2025 }
}
Comments on this paper