Mobile applications, particularly those from social media platforms such as WeChat and TikTok, are evolving into "super apps" that offer a wide range of services such as instant messaging and media sharing, e-commerce, e-learning, and e-government. These super apps often provide APIs for developers to create "miniapps" that run within the super app. These APIs should have been thoroughly scrutinized for security. Unfortunately, we find that many of them are undocumented and unsecured, potentially allowing miniapps to bypass restrictions and gain higher privileged access. To systematically identify these hidden APIs before they are exploited by attackers, we developed a tool APIScope with both static analysis and dynamic analysis, where static analysis is used to recognize hidden undocumented APIs, and dynamic analysis is used to confirm whether the identified APIs can be invoked by an unprivileged 3rdparty miniapps. We have applied APIScope to five popular super apps (i.e., WeChat, WeCom, Baidu, QQ, and Tiktok) and found that all of them contain hidden APIs, many of which can be exploited due to missing security checks. We have also quantified the hidden APIs that may have security implications by verifying if they have access to resources protected by Android permissions. Furthermore, we demonstrate the potential security hazards by presenting various attack scenarios, including unauthorized access to any web pages, downloading and installing malicious software, and stealing sensitive information. We have reported our findings to the relevant vendors, some of whom have patched the vulnerabilities and rewarded us with bug bounties.

翻译：移动应用，尤其是来自微信和抖音等社交媒体平台的应用，正演变为“超级应用”，提供即时通讯、媒体共享、电子商务、在线教育和电子政务等多种服务。这些超级应用通常为开发者提供API，用于创建在超级应用内运行的“小程序”。这些API本应经过严格的安全审查。然而，我们发现其中许多API既无文档记录，也未加防护，可能导致小程序绕过限制并获取更高权限。为了在攻击者利用这些隐藏API之前系统性地识别它们，我们开发了工具APIScope，结合静态分析和动态分析：静态分析用于识别未记录的隐藏API，动态分析用于确认这些API是否可被无特权的第三方小程序调用。我们将APIScope应用于五款流行超级应用（即微信、企业微信、百度、QQ和抖音），发现所有应用均包含隐藏API，其中许多因缺少安全检查而可被利用。我们还通过验证这些隐藏API能否访问受Android权限保护的资源，量化了可能带来安全影响的隐藏API。此外，我们通过展示多种攻击场景（包括未经授权访问任意网页、下载并安装恶意软件、窃取敏感信息）进一步揭示了潜在安全风险。我们已将发现报告给相关厂商，其中部分已修补漏洞并授予我们漏洞赏金。