The advent of MiniApps, operating within larger SuperApps, has revolutionized user experiences by offering a wide range of services without the need for individual app downloads. However, this convenience has raised significant privacy concerns, as these MiniApps often require access to sensitive data, potentially leading to privacy violations. Our research addresses the critical gaps in the analysis of MiniApps' privacy practices, especially focusing on WeChat MiniApps in the Android ecosystem. Despite existing privacy regulations and platform guidelines, there is a lack of effective mechanisms to safeguard user privacy fully. We introduce MiniScope, a novel two-phase hybrid analysis approach, specifically designed for the MiniApp environment. This approach overcomes the limitations of existing static analysis techniques by incorporating dynamic UI exploration for complete code coverage and accurate privacy practice identification. Our methodology includes modeling UI transition states, resolving cross-package callback control flows, and automated iterative UI exploration. This allows for a comprehensive understanding of MiniApps' privacy practices, addressing the unique challenges of sub-package loading and event-driven callbacks. Our empirical evaluation of over 120K MiniApps using MiniScope demonstrates its effectiveness in identifying privacy inconsistencies. The results reveal significant issues, with 5.7% of MiniApps over-collecting private data and 33.4% overclaiming data collection. These findings emphasize the urgent need for more precise privacy monitoring systems and highlight the responsibility of SuperApp operators to enforce stricter privacy measures.

翻译：在超级应用中运行的小程序（MiniApps）无需单独下载即可提供广泛服务，彻底改变了用户体验。然而，这种便利性引发了严重的隐私问题，因为此类小程序常需访问敏感数据，可能导致隐私侵犯。本研究针对小程序隐私实践分析中的关键空白，尤其聚焦Android生态系统中的微信小程序。尽管已有隐私法规和平台指南，但缺乏充分保护用户隐私的有效机制。我们提出MiniScope——一种专为小程序环境设计的新型两阶段混合分析方法。该方法通过引入动态界面探索实现完整代码覆盖与精准隐私实践识别，从而克服现有静态分析技术的局限性。我们的方法包括建模界面转换状态、解析跨包回调控制流以及自动化迭代界面探索。这使得我们能够全面理解小程序的隐私实践，应对子包加载与事件驱动回调带来的独特挑战。基于MiniScope对超过12万个小程序进行的实证评估表明，该方法能有效识别隐私不一致性。研究结果揭示了显著问题：5.7%的小程序过度收集隐私数据，33.4%的小程序虚报数据收集行为。这些发现凸显了建立更精准隐私监控系统的迫切性，并强调了超级应用运营商需承担加强隐私管控的责任。