当前位置:首页 > 报告详情

小应用大影响:移动应用妥协的新方式.pdf

上传人: 竿*** 编号:981801 2025-11-29 26页 1.82MB

1、#BHAS BlackHatEventsMini-App But Great Impact:New Ways to Compromise Mobile AppsIES Red Team of ByteDance#BHAS BlackHatEventsAbout us Security researchers and developers at IES Red Team of ByteDance Privacy and data protection researches involving Apps and Systems Security bug hunters including Mobi

2、le,Web and Cloud Speakers at Black Hat USA/Europe/Aisa,Black Hat USA Arsenal#BHAS BlackHatEvents1.Introduction of Mini-Apps2.Risk Assessment3.Further Exploit4.Security Recommendations5.ConcolusionOutline#BHAS BlackHatEvents1.Introduction of Mini-Apps#BHAS BlackHatEventsMini-Apps and Super AppsMini-a

3、pp-hybrid solution-Web technologies-Integrates with the capabilities of native apps.Super app-Native app-Host and Support for Mini-apps-Provide resources#BHAS BlackHatEventsComparison Study FeatureMini-appWeb App(Chrome)Native App(Android)DeployedpacgakeWeb resourcesapkEngineWebView/NativeV8/JavaScr

4、iptCoreBlink/Gecko/WebKitV8/JavaScriptCoreART/DalvikDependenciesSuper appBrowserAndroid OS#BHAS BlackHatEventsAPI&Security MechanismFile API:-x.saveFIle-x.openFIle-x.downloadFile-x.Network API:-x.request-x.fetch-x.upload-x.Location API:-x.getLocation-x.queryGPS-x.updateLocation-.Media API:-x.openCam

5、era-x.openMicrophone-x.accessAlbum-x.SecurityPermission Check-Vertical-HorizontalSandbox-Data Storage-Code Execution-Runtime Environment#BHAS BlackHatEvents2.Risk Assessment#BHAS BlackHatEventsWeb AppNative AppMini-AppAccess ControlSandbox Storage-?Same-origin policy-?Process isolation?Comparsion an

6、d Risk Assessment#BHAS BlackHatEventsRisk AssessmentFileManager APIOperationreadFileSyncreadwriteFileSyncwriteunzipwriteRiskVunl Super-AppsRelative path in parameter2/9Symbolic link in parameter3/9Filename with relative path in zip file5/9API for File AccessRisk for File Access#BHAS BlackHatEventsFi

word格式文档无特别注明外均可编辑修改,预览文件经过压缩,下载原文更清晰!
三个皮匠报告文库所有资源均是客户上传分享,仅供网友学习交流,未经上传用户书面授权,请勿作商用。
根据标记内容,全文主要围绕Mini-Apps的安全风险和应对策略展开: 1. Mini-Apps与Super-Apps对比:Mini-Apps是Web技术集成到原生应用中,而Super-Apps是支持Mini-Apps的独立应用。 2. 风险评估:Mini-Apps存在文件访问和网络API操作的风险,如相对路径漏洞、文件操作API风险和网络API漏洞。 3. 深入分析:隐藏API和全局变量暴露可能导致安全漏洞。 4. Prototype Pollution:通过白名单绕过、私有API参数劫持和用户凭证泄露等手段进行攻击。 5. 安全建议:采用沙箱隔离、权限控制和运行时安全措施来保护Mini-Apps和Super-Apps。
安全漏洞大揭秘!" 你了解多少?" "如何防范Mini-App安全风险?"
客服
商务合作
小程序
服务号
折叠