Measuring the Leakage and Exploitability of Authentication Secrets in Super-apps: The WeChat Case. (arXiv:2307.09317v1 [cs.CR])

We conduct a large-scale measurement of developers' insecure practices
leading to mini-app to super-app authentication bypass, among which hard-coding
developer secrets for such authentication is a major contributor. We also
analyze the exploitability and security consequences of developer secret
leakage in mini-apps by examining individual super-app server-side APIs. We
develop an analysis framework for measuring such secret leakage, and primarily
analyze 110,993 WeChat mini-apps, and 10,000 Baidu mini-apps (two of the most
prominent super-app platforms), along with a few more …

app apps authentication authentication bypass bypass case coding developer developers hard insecure large major measurement measuring practices scale secret secrets security super super-apps wechat