基于隐蔽通信的小程序隐私泄露风险分析

Mini programs, exemplifying the "app-in-app" paradigm, have become deeply integrated into people's work and daily lives, accessing substantial amounts of user privacy data. To prevent privacy leaks, mini program platforms monitor and regulate regular communication methods. However, mini programs can use covert communication to evade detection. Aiming at the security threat of covert communication to user privacy leakage, this paper analyzes the risk of privacy leakage of mini programs covert communication. On the basis of summarizing the covert communication model and communication conditions of mini programs, we design covert communication methods for both mini-program-to-mini-program and mini-program-to-server communications based on the mini program APIs and components. Invisible character-based source coding and forged pages are adopted to improve the covertness respectively. Experiments verify that the above covert communication methods can realize secret information transmission, and that two attack scenarios are designed to analyze the privacy leakage risk brought by the covert communication methods. Finally, corresponding mitigation measures are discussed.