Collaborative Research: EAGER: Towards Safeguarding the Emerging Miniapp Paradigm in Mobile Super Apps

合作研究：EAGER：捍卫移动超级应用中新兴的小应用范式

• 批准号: 2330265
• 负责人: Luyi Xing
• 金额: $ 15万
• 依托单位: Indiana University
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2023
• 资助国家: 美国
• 起止时间: 2023-07-01 至 2025-06-30
• 项目状态: 未结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=2330265&HistoricalAwards=false
• 关键词: Collaborative; Research; EAGER; Towards; Safeguarding

The rapidly evolving miniapp paradigm within mobile computing is revolutionizing user engagement with mobile applications. Super apps, functioning as hosts with multiple services, facilitate the installation and operation of miniapps within their platforms, thereby cultivating an ecosystem akin to that of Google Play and Apple App Store. This approach, already adopted by leading social apps like WeChat, TikTok, and SnapChat, greatly enhances user convenience and interactivity. However, alongside these advancements, the miniapp paradigm ushers in distinct security and privacy challenges demanding urgent resolution. As the prevalence of miniapps continues to escalate, the establishment of proper safeguards struggles to keep pace. Existing security policies for managing system resources across modern mobile operating systems (OSs) often exhibit opacity and dispersion, impeding effective isolation of miniapps and concealing complexities inherent to diverse mobile OSs. Additionally, super apps, with their capacity to amass substantial user data from numerous miniapps, frequently avoid recognizing themselves as data controllers. This lack of transparency in data practices generates potential privacy threats and regulatory issues. This proposal aims to take the first step towards systematic understanding and safeguarding of the security and privacy of the emerging miniapp paradigm in mobile super apps. We recognize the pressing concerns related to this paradigm and aim to investigate new security and privacy threats, such as cross-platform support, the design and implementation of miniapp APIs, and the management of sensitive data with respect to access control and security and privacy policies. Our research will also explore innovative techniques for risk assessment and vulnerability detection within the miniapp ecosystem. Moreover, we propose to employ formal methods to rigorously reason about these policies and standardize the design and implementation of the APIs, enabling a more secure and privacy-compliant miniapp ecosystem. Our research is expected to pave the way for the development of practical solutions that can be rapidly adopted by super apps and miniapp developers to tackle the urgent security and privacy challenges in this field.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

移动计算中快速发展的Miniapp范式正在彻底改变用户与移动应用程序的参与。超级应用程序作为带有多种服务的主机的运作，可促进Miniapps在其平台内的安装和操作，从而培养一个类似于Google Play和Apple App Store的生态系统。这种方法已经被带有微信，Tiktok和Snapchat等领先的社交应用所采用，极大地增强了用户的便利性和互动性。但是，除了这些进步之外，Miniapp范式在不同的安全和隐私方面挑战了需要紧急解决的问题。随着Miniapps的普遍性继续升级，建立适当的保障措施以保持步伐。现代移动操作系统（OSS）管理系统资源（OSS）的现有安全策略经常表现出不透明和分散，阻碍了Miniapps的有效隔离，并隐藏了多种移动OSS固有的复杂性。此外，超级应用程序具有从众多Miniapps积累大量用户数据的能力，经常避免将自己识别为数据控制器。数据实践缺乏透明度会产生潜在的隐私威胁和监管问题。该建议旨在迈出第一步，朝着系统的理解和维护移动超级应用程序中新兴Miniapp范式的安全性和隐私。我们认识到与此范式相关的紧迫问题，并旨在调查新的安全性和隐私威胁，例如跨平台支持，Miniapp API的设计和实施以及有关访问控制，安全和隐私政策的敏感数据的管理。我们的研究还将探索Miniapp生态系统中风险评估和脆弱性检测的创新技术。此外，我们建议采用正式的方法来严格理解这些政策，并标准化API的设计和实施，从而实现更安全和符合隐私的Miniapp生态系统。我们的研究有望为开发实用解决方案的开发铺平道路，这些解决方案可以迅速采用，超级应用程序和Miniapp开发人员可以应对该领域的紧急安全性和隐私挑战。该奖项反映了NSF的法定任务，并被认为是值得通过基金会的知识分子优点和更广泛的影响审查的评估来通过评估来支持的。