MiniScope: Automated UI Exploration and Privacy Inconsistency Detection of MiniApps via Two-phase Iterative Hybrid Analysis

The advent of MiniApps, operating within larger SuperApps, has revolutionized user experiences by offering a wide range of services without the need for individual app downloads. However, this convenience has raised significant privacy concerns, as these MiniApps often require access to sensitive data, potentially leading to privacy violations. Our research addresses the critical gaps in the analysis of MiniApps' privacy practices, especially focusing on WeChat MiniApps in the Android ecosystem. Despite existing privacy regulations and platform guidelines, there is a lack of effective mechanisms to safeguard user privacy fully. We introduce MiniScope, a novel two-phase hybrid analysis approach, specifically designed for the MiniApp environment. This approach overcomes the limitations of existing static analysis techniques by incorporating dynamic UI exploration for complete code coverage and accurate privacy practice identification. Our methodology includes modeling UI transition states, resolving cross-package callback control flows, and automated iterative UI exploration. This allows for a comprehensive understanding of MiniApps' privacy practices, addressing the unique challenges of sub-package loading and event-driven callbacks. Our empirical evaluation of over 120K MiniApps using MiniScope demonstrates its effectiveness in identifying privacy inconsistencies. The results reveal significant issues, with 5.7% of MiniApps over-collecting private data and 33.4% overclaiming data collection. These findings emphasize the urgent need for more precise privacy monitoring systems and highlight the responsibility of SuperApp operators to enforce stricter privacy measures

SLA-Driven Governance of RESTful Systems

The Software as a Service (SaaS) paradigm has become entrenched in the industry as a deployment model, bringing flexibility to the customers and a recurring revenue to the business. The main architectural paradigm of SaaS systems is the service-oriented one since it provides numerous advantages in terms of elasticity, fault tolerance, and flexible architectural design. Currently, the RESTful paradigm, a layer of abstraction on the server created by defining resources and entities that can be accessed by means of a URI, is the preferred choice for the construction of SaaS, as it promotes the deployment, isolation and integration of microservices through APIs. Nowadays, APIs are regarded as a new form of business product and ever more organizations are publicly opening up access to their APIs as a way to create new business opportunities. In the same way, other organizations also consume a number of third-party APIs as part of their business. We henceforth define the concept of a RESTful System as an information system following the RESTful paradigm to shape the integration model between both its own components as well as other information systems. Furthermore, understanding governance as the way in which a component is directed and controlled, in RESTful Systems, those components will be the RESTful APIs and what we aim to control or regulate is their behavior (i.e., how an API is being consumed or provided). As APIs are increasingly regarded as business products, a crucial activity is to describe the set of plans (i.e., the pricing) that depicts the functionality and performance being offered to clients. API providers usually define certain limitations in each instance of a plan (e.g., quotas and rates); for example, a free plan might be limited to having one hundred monthly requests, and a professional plan to have five hundred monthly requests. However, although API providers use the Service Level Agreement (SLA) concept to delimit the functionality and guarantees to which they commit to their customers, there is no standard model used by API providers for modeling API pricing (including the plans and limitations). Although some providers do model the information regarding the API pricing and API limitations with an ad hoc approach, there is no widely accepted model in the industry. Wherefore answering questions regarding API limitations (e.g., determining whether or not a certain pricing is valid) is still a manual or non-interoperable process coming along with some inconveniences (being tedious, time-consuming, error-prone, etc.). Understating governance as to how a system is directed and controlled, we translate this concept to meet the SLA-driven approach: we consider the SLA (i.e., API pricing) as the element that will drive the directions, policies and rules to deliver and maintain the RESTful System. Adding the SLA to the idea of governance of RESTful systems leads to the main hypothesis of this dissertation: there is no well-established model for describing API pricings)in RESTful systems, which is hindering the automatic SLA-Driven governance. We claim the main goal of this thesis to be: the creation of an expressive, fully-fledged specification of SLAs for RESTful APIs endorsed with an open ecosystem of tools aimed at the SLA-Driven Governance of RESTful systems. The results of this endeavor are twofold: (I) Creation of a sufficiently expressive specification for the description of API pricings and the analysis of their validity. This comprises: (i) conducting an analysis of real-world APIs to evaluate the characteristics of the API pricings and limitations; (ii) identifying the relevance of SLAs in APIs in both academic and industrial scenarios; (iii) proposing a comprehensive model for describing API pricings; (iv) defining analysis operations for common questions regarding the validity in API pricings and limitations; (v) performing an evaluation of the model in real-world APIs. (II) Implementation of an ecosystem of tools to support the SLA-Driven governance of RESTful APIs. This includes: (i) developing a set of API governance tools; (ii) implementing a validity analysis operation; (iii) performing a validation of the tools and operations in realistic scenarios. In this thesis, we present the Governify4APIs ecosystem as the set comprised of (i) a model aimed at describing API pricings that is closely aligned with industry standards in APIs (OpenAPI Specification) and (ii) a set of companion tools for enacting the automatic governance using our specification, ranging from low-level validation tasks to SaaS solutions based on our model. Governify4APIs is, therefore, a fully-fledged specification, aligned with the mainstream standards and intended to enable an SLA-Driven Governance of RESTful Systems.El paradigma del software como servicio (SaaS) se ha afianzado en la industria como modelo de despliegue, aportando flexibilidad a los clientes y unos ingresos constantes a las organizaciones. El principal paradigma arquitectónico de los sistemas SaaS es la arquitectura orientada a servicios, ya que proporciona numerosas ventajas en términos de elasticidad, tolerancia a fallos y diseño flexible. RESTful, una capa de abstracción sobre el servidor creada mediante la definición de recursos y entidades a las que se puede acceder mediante una URI, es la opción preferida para la construcción de SaaS, ya que promueve el despliegue, el aislamiento y la integración de microservicios a través de APIs. Hoy en día, las APIs se consideran una nueva forma de producto empresarial y cada vez más organizaciones abren públicamente el acceso a sus APIs como forma de crear nuevas oportunidades de negocio. Del mismo modo, otras organizaciones también consumen una serie de APIs de terceros como parte de su negocio. A partir de ahora definimos el concepto de Sistema RESTful como un sistema de información que sigue el paradigma RESTful para conformar el modelo de integración tanto entre sus propios componentes como con otros sistemas de información. Además, entendiendo gobierno como la forma en que se dirige y controla un componente, en los sistemas RESTful, esos componentes serán las APIs RESTful y lo que pretendemos controlar o regular es su comportamiento (es decir, cómo se está consumiendo o proporcionando una API). Dado que las APIs están, cada vez más, siendo consideradas como productos comerciales, una actividad crucial es describir el conjunto de planes (es decir, el pricing) que describe la funcionalidad y el rendimiento que se ofrece a los clientes. Los proveedores de API suelen definir ciertas limitaciones en cada instancia de un plan (por ejemplo, quotas y rates); por ejemplo, un plan gratuito podría estar limitado a tener cien peticiones mensuales, y un plan profesional a tener quinientas peticiones mensuales. Sin embargo, aunque los proveedores de APIs utilizan el concepto de Acuerdo de Nivel de Servicio (SLA) para delimitar la funcionalidad y las garantías a las que se comprometen con sus clientes, no existe ningún modelo estándar usado por los proveedores para modelar el pricing de las API (incluyendo los planes y limitaciones). Aunque algunos proveedores modelan la información relativa a los pricings y las limitaciones de las APIs con un enfoque ad hoc, no existe un modelo ampliamente aceptado en el sector. Por lo tanto, responder a las preguntas relativas a las limitaciones de la APIs (por ejemplo, determinar si un determinado pricing es válido o no) sigue siendo un proceso manual o no interoperable, cosa que conlleva algunos inconvenientes (es tedioso, consume tiempo, es propenso a errores, etc.). Entendiendo el gobierno como la forma de dirigir y controlar un sistema, podemos traducir este concepto teniendo en cuenta el SLA, esto es, consideramos este elemento como aquel sobre el que se realiza la dirección, políticas y reglas para entregar y mantener el sistema RESTful. Añadir el concepto SLA a esa idea de gobierno de sistemas RESTful nos lleva a la hipótesis principal de esta tesis: no existe un modelo bien establecido para describir los SLAs (o pricing) en los sistemas RESTful, lo que está dificultando el gobierno automático. Es, por tanto, el objetivo principal de esta tesis la creación de una especificación expresiva y completa de SLAs para APIs RESTful, respaldada por un ecosistema abierto de herramientas orientadas al gobierno de sistemas RESTful dirigido por SLAs. Los resultados principales han sido: (I) Creación de una especificación suficientemente expresiva para la descripción de los pricings de la API y el análisis de su validez. Esto comprende: (i) realizar un análisis de APIs del mundo real para evaluar las características de los pricings y limitaciones de las APIs; (ii) identificar la relevancia de los SLAs en las APIs tanto en escenarios académicos como industriales; (iii) proponer un modelo completo para describir los pricings de las APIs; (iv) definir operaciones de análisis para preguntas comunes sobre la validez en los pricings y limitaciones de las APIs; (v) realizar una evaluación del modelo en APIs del mundo real. (II) Implementación de un ecosistema de herramientas para apoyar la gobernanza SLA-Driven de las APIs RESTful. Esto incluye: (i) desarrollar un conjunto de herramientas de gobierno de APIs; (ii) implementar una operación de análisis de validez; (iii) realizar una validación de las herramientas y operaciones en escenarios realistas. En esta tesis, presentamos el ecosistema Governify4APIs como el conjunto compuesto por (i) un modelo destinado a describir los pricings de las APIs y alineado estrechamente con los estándares de la industria (OpenAPI) y (ii) un conjunto de herramientas complementarias para el gobierno automático utilizando este modelo, que van desde tareas de validación hasta soluciones SaaS. Por lo tanto, Governify4APIs es una especificación acompañada de todo lo necesario, alineada con los estándares industriales y destinada a permitir un gobierno de sistemas RESTful dirigidos por SLAs

Cyber Security

This open access book constitutes the refereed proceedings of the 18th China Annual Conference on Cyber Security, CNCERT 2022, held in Beijing, China, in August 2022. The 17 papers presented were carefully reviewed and selected from 64 submissions. The papers are organized according to the following topical sections: ​​data security; anomaly detection; cryptocurrency; information security; vulnerabilities; mobile internet; threat intelligence; text recognition

Cyber Security

This open access book constitutes the refereed proceedings of the 18th China Annual Conference on Cyber Security, CNCERT 2022, held in Beijing, China, in August 2022. The 17 papers presented were carefully reviewed and selected from 64 submissions. The papers are organized according to the following topical sections: ​​data security; anomaly detection; cryptocurrency; information security; vulnerabilities; mobile internet; threat intelligence; text recognition

Cyber Security

This open access book constitutes the refereed proceedings of the 16th International Annual Conference on Cyber Security, CNCERT 2020, held in Beijing, China, in August 2020. The 17 papers presented were carefully reviewed and selected from 58 submissions. The papers are organized according to the following topical sections: access control; cryptography; denial-of-service attacks; hardware security implementation; intrusion/anomaly detection and malware mitigation; social network security and privacy; systems security

Cyber Security

This open access book constitutes the refereed proceedings of the 16th International Annual Conference on Cyber Security, CNCERT 2020, held in Beijing, China, in August 2020. The 17 papers presented were carefully reviewed and selected from 58 submissions. The papers are organized according to the following topical sections: access control; cryptography; denial-of-service attacks; hardware security implementation; intrusion/anomaly detection and malware mitigation; social network security and privacy; systems security

Optimizing search user interfaces and interactions within professional social networks

Professional social networks (PSNs) play the key role in the online social media ecosystem, generate hundreds of terabytes of new data per day, and connect millions of people. To help users cope with the scale and influx of new information, PSNs provide search functionality. However, most of the search engines within PSNs today still provide only keyword queries, basic faceted search capabilities, and uninformative query-biased snippets overlooking the structured and interlinked nature of PSN entities. This results in siloed information, inefficient results presentation, and suboptimal search user experience (UX). In this thesis, we reconsider and comprehensively study input, control, and presentation elements of the search user interface (SUI) to enable more effective and efficient search within PSNs. Specifically, we demonstrate that: (1) named entity queries (NEQs) and structured queries (SQs) complement each other helping PSN users search for people and explore the PSN social graph beyond the first degree; (2) relevance-aware filtering saves users' efforts when they sort jobs, status updates, and people by an attribute value rather than by relevance; (3) extended informative structured snippets increase job search effectiveness and efficiency by leveraging human intelligence and exposing the most critical information about jobs right on a search engine result page (SERP); and (4) non-redundant delta snippets, which different from traditional query-biased snippets show on a SERP information relevant but complementary to the query, are more favored by users performing entity (e.g. people) search, lead to faster task completion times and better search outcomes. Thus, by modeling the structured and interlinked nature of PSN entities, we can optimize the query-refine-view interaction loop, facilitate serendipitous network exploration, and increase search utility. We believe that the insights, algorithms, and recommendations presented in this thesis will serve the next generation designers of SUIs within and beyond PSNs and shape the (structured) search landscape of the future

Urban Informatics

This open access book is the first to systematically introduce the principles of urban informatics and its application to every aspect of the city that involves its functioning, control, management, and future planning. It introduces new models and tools being developed to understand and implement these technologies that enable cities to function more efficiently – to become ‘smart’ and ‘sustainable’. The smart city has quickly emerged as computers have become ever smaller to the point where they can be embedded into the very fabric of the city, as well as being central to new ways in which the population can communicate and act. When cities are wired in this way, they have the potential to become sentient and responsive, generating massive streams of ‘big’ data in real time as well as providing immense opportunities for extracting new forms of urban data through crowdsourcing. This book offers a comprehensive review of the methods that form the core of urban informatics from various kinds of urban remote sensing to new approaches to machine learning and statistical modelling. It provides a detailed technical introduction to the wide array of tools information scientists need to develop the key urban analytics that are fundamental to learning about the smart city, and it outlines ways in which these tools can be used to inform design and policy so that cities can become more efficient with a greater concern for environment and equity

Urban Informatics

This open access book is the first to systematically introduce the principles of urban informatics and its application to every aspect of the city that involves its functioning, control, management, and future planning. It introduces new models and tools being developed to understand and implement these technologies that enable cities to function more efficiently – to become ‘smart’ and ‘sustainable’. The smart city has quickly emerged as computers have become ever smaller to the point where they can be embedded into the very fabric of the city, as well as being central to new ways in which the population can communicate and act. When cities are wired in this way, they have the potential to become sentient and responsive, generating massive streams of ‘big’ data in real time as well as providing immense opportunities for extracting new forms of urban data through crowdsourcing. This book offers a comprehensive review of the methods that form the core of urban informatics from various kinds of urban remote sensing to new approaches to machine learning and statistical modelling. It provides a detailed technical introduction to the wide array of tools information scientists need to develop the key urban analytics that are fundamental to learning about the smart city, and it outlines ways in which these tools can be used to inform design and policy so that cities can become more efficient with a greater concern for environment and equity

Urban Informatics

This open access book is the first to systematically introduce the principles of urban informatics and its application to every aspect of the city that involves its functioning, control, management, and future planning. It introduces new models and tools being developed to understand and implement these technologies that enable cities to function more efficiently – to become ‘smart’ and ‘sustainable’. The smart city has quickly emerged as computers have become ever smaller to the point where they can be embedded into the very fabric of the city, as well as being central to new ways in which the population can communicate and act. When cities are wired in this way, they have the potential to become sentient and responsive, generating massive streams of ‘big’ data in real time as well as providing immense opportunities for extracting new forms of urban data through crowdsourcing. This book offers a comprehensive review of the methods that form the core of urban informatics from various kinds of urban remote sensing to new approaches to machine learning and statistical modelling. It provides a detailed technical introduction to the wide array of tools information scientists need to develop the key urban analytics that are fundamental to learning about the smart city, and it outlines ways in which these tools can be used to inform design and policy so that cities can become more efficient with a greater concern for environment and equity