Publications

A collection of my research work.

# Equal contribution / Co-first authors.* Corresponding author

(A)I Sees What You Don't: Exploiting New Attack Surfaces in Third-Party Mobile Agents

Zidong Zhang, Zhentao Xie, Wenrui Diao, Jianliang Wu

arXiv Preprint | arXiv:2607.00333

Identifies two new attack surfaces in third-party mobile agents and demonstrates seven attacks that exploit visual perception and insecure communication channels.

PDF

Mini-Programs, Mega-Problems: Unveiling OAuth Misuses in Mini-Programs via Dynamic Analysis

Zidong Zhang#, Zhentao Xie#, Lingyun Ying, Qingsheng Hou, Yacong Gu, Wenrui Diao, Jianliang Wu

ACM CCS 2026 | The 33rd ACM Conference on Computer and Communications Security
CCF-ACore A*BIG4TOP

Systematizes OAuth-based authentication misuses in mini-programs and presents a dynamic analysis framework that finds 1,834 real-world cases across WeChat and Baidu ecosystems.

PDF

Your Space is My Zone: Demystifying the Security Risks of AI-Powered Applications on Pre-Trained Model Hubs

Yacong Gu, Lingyun Ying, Zidong Zhang, Yingyuan Pu, Xiaoxue Huang, Jiawei Zhou, Wenjie Zhu, Donghong Sun, Haixin Duan

ACM CCS 2026 | The 33rd ACM Conference on Computer and Communications Security
CCF-ACore A*BIG4TOP

Presents the first systematic security analysis of AI-powered applications across major platforms, uncovering large-scale credential leaks, code-execution flaws, and platform-level architectural risks.

PDF

Hey, Your Secrets Leaked! Detecting and Characterizing Secret Leakage in the Wild

Jiawei Zhou#, Zidong Zhang#, Lingyun Ying*, Huajun Chai, Jiuxin Cao*, Haixin Duan

IEEE S&P 2025 | The 46th IEEE Symposium on Security and Privacy
CCF-ACore A*BIG4TOP

Introduces KEYSENTINEL for detecting structured and unstructured secrets, plus a large-scale study of leakage across GitHub, PyPI, and WeChat.

PDF

MiniCAT: Understanding and Detecting Cross-Page Request Forgery Vulnerabilities in Mini-Programs

Zidong Zhang, Qinsheng Hou, Lingyun Ying*, Wenrui Diao*, Yacong Gu, Rui Li, Shanqing Guo, Haixin Duan

ACM CCS 2024 | The 31st ACM Conference on Computer and Communications Security
CCF-ACore A*BIG4TOP

Identifies MiniCPRF in mini-programs and presents MiniCAT, which found 13,349 potentially vulnerable samples among 41,726 analyzable mini-programs.

MiniBLE: Exploring Insecure BLE API Usages in Mini-Programs

Zidong Zhang, Jianqi Du, Wenrui Diao*, Jianliang Wu*

SaTS 2024 | The 2nd ACM Workshop on Secure and Trustworthy Superapps

Studies insecure BLE pairing in IoT-oriented mini-programs and introduces MiniBLE, a static taint analysis tool evaluated on 41,276 real-world samples.

PDF

Living in the Past: Analyzing BLE IoT Devices Based on Mobile Companion Apps in Old Versions

Jianqi Du, Zidong Zhang, Fenghao Xu*, Wenrui Diao*

MSN 2023 | The 19th International Conference on Mobility, Sensing and Networking
CCF-C

Shows that old BLE companion apps can still expose device vulnerabilities, since many IoT devices cannot receive meaningful firmware fixes.

PDF

Identifying the BLE Misconfigurations of IoT Devices through Companion Mobile Apps

Jianqi Du, Fenghao Xu*, Chennan Zhang, Zidong Zhang, Xiaoyin Liu, Pengcheng Ren, Wenrui Diao*, Shanqing Guo, Kehuan Zhang

IEEE SECON 2022 | The 19th Annual IEEE International Conference on Sensing, Communication, and Networking
CCF-B

Detects BLE misconfigurations through companion app analysis and applies BSC-Checker to 4,589 apps across multiple markets.

PDF