The Skeleton Keys: A Large Scale Analysis of Credential Leakage in Mini-apps
Yizhe Shi
Network and Distributed System Security (NDSS) Symposium 2025 · Day 1 · Mobile Security
This talk, presented by Yizhe Shi from Fudan University, delves into the pervasive and critical issue of **credential leakage** within the rapidly expanding **super-app and mini-app ecosystem**. The presentation introduces **K-Magnet**, a novel semantic analysis framework designed to systematically identify and analyze these vulnerabilities at scale. The core problem addressed is that while super-apps offer mini-apps access to sensitive resources and services via credential-based access control, a significant lack of security awareness among mini-app developers leads to improper sharing of these critical credentials with client-side code.
AI review
Solid academic security research with real numbers, a novel detection framework, and a large-scale measurement study that actually quantifies a problem most practitioners haven't formally mapped yet. The super-app/mini-app credential landscape is genuinely underexplored in Western security research, and 8,000+ leakage instances across 21 platforms with a working tool and 90%+ F-score is a credible contribution — not just a theoretical exercise.