@inproceedings{10.1109/ICSE48619.2023.00086,
    author = {Wang, Chao and Ko, Ronny and Zhang, Yue and Yang, Yuqing and Lin, Zhiqiang},
    title = {TaintMini: Detecting Flow of Sensitive Data in Mini-Programs with Static Taint Analysis},
    year = {2023},
    isbn = {9781665457019},
    publisher = {IEEE Press},
    url = {https://doi.org/10.1109/ICSE48619.2023.00086},
    doi = {10.1109/ICSE48619.2023.00086},
    abstract = {Mini-programs, which are programs running inside mobile super apps such as WeChat, often have access to privacy-sensitive information, such as location data and phone numbers, through APIs provided by the super apps. This access poses a risk of privacy sensitive data leaks, either accidentally from carelessly programmed mini-programs or intentionally from malicious ones. To address this concern, it is crucial to track the flow of sensitive data in mini-programs for either human analysis or automated tools. Although existing taint analysis techniques have been widely studied, they face unique challenges in tracking sensitive data flows in mini-programs, such as cross-language, cross-page, and cross-mini-program data flows. This paper presents a novel framework, TaintMini, which addresses these challenges by using a novel universal data flow graph approach that captures data flows within and across mini-programs. We have evaluated TaintMini with 238,866 mini-programs and detect 27,184 that contain sensitive data flows. We have also applied TaintMini to detect privacy leakage colluding mini-programs and identify 455 such programs from them that clearly violate privacy policy.},
    booktitle = {Proceedings of the 45th International Conference on Software Engineering},
    pages = {932–944},
    numpages = {13},
    keywords = {empirical study, privacy leaks detection, taint analysis, mini-programs},
    location = {Melbourne, Victoria, Australia},
    series = {ICSE '23}
    }