Better Safe than Sorry: Uncovering the Insecure Resource Management in App-in-App Cloud Services
Yizhe Shi
Network and Distributed System Security (NDSS) Symposium 2026 · Day 1 · Apps & Cloud Security
The "super app" ecosystem -- where platforms like **WeChat**, **TikTok**, **Alipay**, and **Baidu** host millions of mini apps -- has created a massive attack surface that most security researchers outside of Asia have barely examined. This talk reveals systemic insecure resource management vulnerabilities in the cloud services that power these mini app ecosystems. The researchers built an automated analysis tool called **AcReMinder** that identified nearly **3,000 vulnerable mini apps** across four major super app platforms, exposing sensitive user data including ID cards, medical records, education information, and even API keys like GPT credentials.
AI review
A systematic large-scale analysis of insecure cloud resource management in the super app mini app ecosystem, identifying nearly 3,000 vulnerable apps across WeChat, TikTok, Alipay, and Baidu. The automated tool AcReMinder achieves 97%+ accuracy and the findings -- exposed ID cards, medical records, API keys, and pay-for-free attacks -- are real and impactful. Technically competent work, though the underlying vulnerabilities are largely variants of missing server-side authorization rather than novel attack classes.