Whiskey: Large-Scale Identification of Mobile Mini-App Session Key Leakage With LLMs

Mini-apps, which run on super-apps, have attracted a large number of users due to their lightweight nature and the convenience of supporting the authorized use of super-app user information. Super-apps employ encryption to protect the transmission of sensitive identity information authorized by users to the mini-app, using the session key as the key. However, we have identified a risk of session key leakage, which could be exploited to maliciously manipulate sensitive user identity information, thereby posing a significant threat to user data security. To reveal this damage, we explore potential business scenarios of session key leakage in detail. Nevertheless, the diversity in design among various mini-apps makes automated testing of these business scenarios at a large scale challenging. This diversity is reflected in the inconsistent naming of identical types of controls and the disparate execution orders of controls within the same business scenarios across different mini-apps. To overcome these challenges, we propose Whiskey, which can adaptively and intelligently optimize dynamic testing strategies for mini-apps with diverse designs using large language models to detect session key leakage at scale. We evaluated Whiskey on 157,063 WeChat mini-apps and 10,000 TikTok mini-apps, and found that 15,712 of WeChat mini-apps and 678 of TikTok mini-apps had session key leakage vulnerabilities. Further analysis showed that this leakage could lead to account takeover and promotion abuse attacks. We responsibly reported the detection results to Tencent and the mini-app vendors. At the time of submission, 17 reported issues had been assigned CNVD IDs.