这是在CCS 2024会议的,Workshop on Secure and Trustworthy Superapps (SaTS)上我做的Keynote演讲的标题。演讲主要内容是分享了我们在小程序安全方面的经验与思考,总结了安全风险、挑战,应对方法等。

Abstract:
With the continuous development of Super-App and mini-apps ecosystem, the technical architecture, regulatory requirements, and security solutions of mini-apps are constantly changing. Mini-apps have now been deployed not only on cellphones, but also on electric cars such as Tesla, smart vending machines and handheld POS terminals. Many games based on Unity WebGL engine are also being supported by major Super-Apps. Completely different application scenarios, such as mobile phones and cars, and business types with different security requirements, such as pension bills and games, all need to run smoothly in Super-Apps. This situation poses a very big challenge to security technology.

This talk will introduce the latest technology development trend, regulatory compliance requirements for different business scenarios, supplychain security risks faced by different terminals and operating systems, etc. We will also introduce the various security capabilities implemented by our mini-app RASP (Runtime Application Self-Protection) based on AOS (Aspect Oriented Security), including privacy permission control, threat detection, vulnerability recovery, etc. The security paradigms, NbSP (Non-bypassable Security Paradigm) and OVTP (Operator-Voucher-Traceable Paradigm) are used to guide our security architecture design and security audit.

演讲的ppt没有公开。不过我们有一篇小论文在这个workshop上发表,可以阅读。
Towards a Better Super-App Architecture from a Browser Security Perspective
这个工作主要是对比了小程序的架构与浏览器之间的差异,从而探讨如何设计小程序的安全架构。