New Video from @BlackHatOfficialYT: Security Risks of Mini Apps

In this video, security researchers Wii and Xangu from the is real team present their findings on mini apps, a new form of mobile applications that combine the capabilities of native apps and web technologies. They explain the differences between mini apps, native apps, and web apps, as well as the advantages and security risks associated with this new technology. Mini apps are cross-platform solutions that leverage web technologies and the capabilities provided by native apps. They can be launched and run on Android, iOS, and even PCs with a single codebase. A super app, which is a native application, serves as a platform for mini apps, providing the necessary resources and distributing the various mini apps. Users can launch a mini app by clicking a link or scanning a QR code. The researchers identified several common APIs used by mini apps, such as file reading and writing, and decompression. They conducted security tests on these APIs to attempt to access or replace files outside the mini app's storage space. For example, they tried to read the super app's cookie file or replace executable files, which could lead to remote code execution. Their results show that several super apps are vulnerable to these attacks. Next, the researchers analyzed the networking capabilities of mini apps, focusing on APIs that perform outgoing requests, such as the request API and the download API. They discovered that many applications directly reuse the host's basic networking capabilities, which can lead to security risks. For example, a super app was sending user credentials to a third-party website, and several mini apps could send requests to the host's website with the user's cookie, violating the same-origin policy principle. The researchers also discussed hidden APIs, which are undocumented APIs that developers can use to bypass security restrictions. They explained how to discover these hidden APIs by analyzing the JS core, which serves as a bridge between mini apps and the super app, and by reverse-engineering the super app's code. They also showed how to invoke these hidden APIs using public or privileged global variables. To mitigate these risks, the researchers proposed several suggestions, such as verifying domain names and using the freeze object. They emphasized the importance of sandbox isolation, permission control, and runtime security for super apps. In conclusion, this presentation provided an in-depth analysis of the security risks associated with mini apps and proposed solutions to mitigate them. The researchers encouraged further exploration of these vulnerabilities and stressed the importance of security in the development of mini apps. To learn more, watch the full video here: https://www.youtube.com/watch?v=J5Jn0-FsAc8