Publications
A collection of my research work.
# Equal contribution / Co-first authors.* Corresponding author
(A)I Sees What You Don't: Exploiting New Attack Surfaces in Third-Party Mobile Agents
Zidong Zhang, Zhentao Xie, Wenrui Diao, Jianliang Wu
Identifies two new attack surfaces in third-party mobile agents and demonstrates seven attacks that exploit visual perception and insecure communication channels.
Mini-Programs, Mega-Problems: Unveiling OAuth Misuses in Mini-Programs via Dynamic Analysis
Zidong Zhang#, Zhentao Xie#, Lingyun Ying, Qingsheng Hou, Yacong Gu, Wenrui Diao, Jianliang Wu
Systematizes OAuth-based authentication misuses in mini-programs and presents a dynamic analysis framework that finds 1,834 real-world cases across WeChat and Baidu ecosystems.
Your Space is My Zone: Demystifying the Security Risks of AI-Powered Applications on Pre-Trained Model Hubs
Yacong Gu, Lingyun Ying, Zidong Zhang, Yingyuan Pu, Xiaoxue Huang, Jiawei Zhou, Wenjie Zhu, Donghong Sun, Haixin Duan
Presents the first systematic security analysis of AI-powered applications across major platforms, uncovering large-scale credential leaks, code-execution flaws, and platform-level architectural risks.
Hey, Your Secrets Leaked! Detecting and Characterizing Secret Leakage in the Wild
Jiawei Zhou#, Zidong Zhang#, Lingyun Ying*, Huajun Chai, Jiuxin Cao*, Haixin Duan
Introduces KEYSENTINEL for detecting structured and unstructured secrets, plus a large-scale study of leakage across GitHub, PyPI, and WeChat.
MiniCAT: Understanding and Detecting Cross-Page Request Forgery Vulnerabilities in Mini-Programs
Zidong Zhang, Qinsheng Hou, Lingyun Ying*, Wenrui Diao*, Yacong Gu, Rui Li, Shanqing Guo, Haixin Duan
Identifies MiniCPRF in mini-programs and presents MiniCAT, which found 13,349 potentially vulnerable samples among 41,726 analyzable mini-programs.
MiniBLE: Exploring Insecure BLE API Usages in Mini-Programs
Zidong Zhang, Jianqi Du, Wenrui Diao*, Jianliang Wu*
Studies insecure BLE pairing in IoT-oriented mini-programs and introduces MiniBLE, a static taint analysis tool evaluated on 41,276 real-world samples.
Living in the Past: Analyzing BLE IoT Devices Based on Mobile Companion Apps in Old Versions
Jianqi Du, Zidong Zhang, Fenghao Xu*, Wenrui Diao*
Shows that old BLE companion apps can still expose device vulnerabilities, since many IoT devices cannot receive meaningful firmware fixes.
Identifying the BLE Misconfigurations of IoT Devices through Companion Mobile Apps
Jianqi Du, Fenghao Xu*, Chennan Zhang, Zidong Zhang, Xiaoyin Liu, Pengcheng Ren, Wenrui Diao*, Shanqing Guo, Kehuan Zhang
Detects BLE misconfigurations through companion app analysis and applies BSC-Checker to 4,589 apps across multiple markets.