The advent of MiniApps, operating within larger SuperApps, has revolutionized user experiences by offering a wide range of services without the need for individual app downloads. However, this convenience has raised significant privacy concerns, as these MiniApps often require access to sensitive data, potentially leading to privacy violations. Our research addresses the critical gaps in the analysis of MiniApps' privacy practices, especially focusing on WeChat MiniApps in the Android ecosystem. Despite existing privacy regulations and platform guidelines, there is a lack of effective mechanisms to safeguard user privacy fully. We introduce MiniScope, a novel two-phase hybrid analysis approach, specifically designed for the MiniApp environment. This approach overcomes the limitations of existing static analysis techniques by incorporating dynamic UI exploration for complete code coverage and accurate privacy practice identification. Our methodology includes modeling UI transition states, resolving cross-package callback control flows, and automated iterative UI exploration. This allows for a comprehensive understanding of MiniApps' privacy practices, addressing the unique challenges of sub-package loading and event-driven callbacks. Our empirical evaluation of over 120K MiniApps using MiniScope demonstrates its effectiveness in identifying privacy inconsistencies. The results reveal significant issues, with 5.7% of MiniApps over-collecting private data and 33.4% overclaiming data collection. These findings emphasize the urgent need for more precise privacy monitoring systems and highlight the responsibility of SuperApp operators to enforce stricter privacy measures.

翻译：随着小程序在大型超级App中的运行，用户无需单独下载应用程序即可享受多样化的服务，这一特性彻底革新了用户体验。然而，这种便利性引发了显著的隐私问题，因为这些小程序通常需要访问敏感数据，可能导致隐私违规行为。本研究针对小程序隐私实践分析中的关键空白，特别聚焦于安卓生态系统中的微信小程序。尽管存在现有的隐私法规和平台指南，但缺乏有效机制来全面保障用户隐私。我们提出MiniScope——一种专为小程序环境设计的新型两阶段混合分析方法。该方法通过引入动态UI探索以实现完整代码覆盖和精准隐私实践识别，克服了现有静态分析技术的局限性。我们的方法包括建模UI状态转换、解决跨包回调控制流以及自动化迭代UI探索。这能够全面理解小程序的隐私实践，应对子包加载和事件驱动回调带来的独特挑战。我们使用MiniScope对超过12万个小程序进行的实证评估证明了其在识别隐私不一致性方面的有效性。结果显示，5.7%的小程序存在过度收集隐私数据的行为，33.4%的小程序存在过度宣称数据收集的问题。这些发现凸显了建立更精准隐私监控系统的迫切性，并强调了超级App运营方需执行更严格隐私措施的责任。