Wenrui Diao 刁文瑞Ph.D., The Chinese University of Hong Kong, 2017 Taishan Young Scholar (山东省泰山学者青年专家) Xiaomi Young Scholar (小米青年学者) Qilu Young Scholar (山东大学齐鲁青年学者) Professor 教授、博士生导师 School of Cyber Science and Technology, Shandong University 山东大学 网络空间安全学院 Qingdao, China Email: diaowenrui [AT] link.cuhk.edu.hk [Google Scholar] [DBLP] [Faculty Page] |
Publications at Top-tier Venues (16 papers): IEEE S&P (’21, ’16), USENIX Security (’23), ACM CCS (’24 x 2, ’21, ’15, ’14), NDSS (’19, ’18), ICSE (’24, ’22 × 3), WWW (’24, ’23)
Publications Ranking Statistics: CCF A: 18 papers, CCF B: 13 papers, CCF C: 12 papers
Author with (✉️): Corresponding Author - 通讯作者,即相关论文由本组所主导完成
[EMSE] Shishuai Yang, Qinsheng Hou, Shuang Li, Fenghao Xu, and Wenrui Diao (✉️). From Guidelines to Practice: Assessing Android App Developer Compliance with Google’s Security Recommendations. Empirical Software Engineering, 30 (11): 1-33, 2025. [Q1, CCF B] [Link]
[TrustCom’24] Rui Li, Wenrui Diao (✉️), and Debin Gao (✉️). Custom Permission Misconfigurations in Android: A Large-Scale Security Analysis. The 23rd IEEE International Conference on Trust, Security and Privacy in Computing and Communications, Sanya, China. December 17-21, 2024. [Core B, CCF C] [PDF]
[TrustCom’24] Yifan Yu, Ruoyan Lin, Shuang Li, Qinsheng Hou, Peng Tang, and Wenrui Diao (✉️). Security Assessment of Customizations in Android Smartwatch Firmware. The 23rd IEEE International Conference on Trust, Security and Privacy in Computing and Communications, Sanya, China. December 17-21, 2024. [Core B, CCF C]
[ISSRE’24] Shuang Li, Rui Li, Shishuai Yang, and Wenrui Diao (✉️). Android's Cat-and-Mouse Game: Understanding Evasion Techniques against Dynamic Analysis. The 35th IEEE International Symposium on Software Reliability Engineering, Tsukuba, Japan. October 28th - 31st, 2024. [Core A, CCF B] [PDF]
[ISSRE’24] Shishuai Yang, Guangdong Bai (✉️), Ruoyan Lin, Jialong Guo, and Wenrui Diao (✉️). Beyond the Horizon: Exploring Cross-Market Security Discrepancies in Parallel Android Apps. The 35th IEEE International Symposium on Software Reliability Engineering, Tsukuba, Japan. October 28th - 31st, 2024. [Core A, CCF B] [PDF]
[CCS’24] Kailun Yan, Xiaokuan Zhang (✉️), and Wenrui Diao (✉️). Stealing Trust: Unraveling Blind Message Attacks in Web3 Authentication. The 31st ACM Conference on Computer and Communications Security, Salt Lake City, UT, USA. October 14-18, 2024. [Top] [Core A*, CCF A] [Distinguished Paper Award] [PDF] [Demo] [Code] [CVE-2023-50053, CVE-2023-50059]
[CCS’24] Zidong Zhang, Qinsheng Hou, Lingyun Ying (✉️), Wenrui Diao (✉️), Yacong Gu, Rui Li, Shanqing Guo, Haixin Duan. MiniCAT: Understanding and Detecting Cross-Page Request Forgery Vulnerabilities in Mini-Programs. The 31st ACM Conference on Computer and Communications Security, Salt Lake City, UT, USA. October 14-18, 2024. [Top] [Core A*, CCF A] [PDF] [Code] [CNVD-2024-05527, CNVD-2023-75836, CNVD-2023-75837]
[SaTS’24] Zidong Zhang, Jianqi Du, Wenrui Diao (✉️), and Jianliang Wu (✉️). MiniBLE: Exploring Insecure BLE API Usages in Mini-Programs. The 2nd ACM Workshop on Secure and Trustworthy Superapps, Salt Lake City, UT, USA. October 14, 2024.
[RAID’24] Jianing Wang, Shanqing Guo, Wenrui Diao, Yue Liu, Haixin Duan, Yichen Liu, and Zhenkai Liang. CrypTody: Cryptographic Misuse Analysis of IoT Firmware via Data-flow Reasoning. The 27th International Symposium on Research in Attacks, Intrusions and Defenses, Padua, Italy. September 30 - October 2, 2024. [Core A, CCF B]
[WWW’24] Xiaoyin Liu, Wenzhi Li, Qinsheng Hou, Shishuai Yang, Lingyun Ying (✉️), Wenrui Diao (✉️), Yanan Li, Shanqing Guo, and Haixin Duan. From Promises to Practice: Evaluating the Private Browsing Modes of Android Browser Apps. The 33rd ACM Web Conference, Singapore. May 13-17, 2024. [Top] [Core A*, CCF A] [PDF]
[ICSE’24] Pengcheng Ren, Chaoshun Zuo, Xiaofeng Liu, Wenrui Diao, Qingchuan Zhao, and Shanqing Guo. DEMISTIFY: Identifying On-device Machine Learning Models Stealing and Reuse Vulnerabilities in Mobile Apps. The 46th IEEE/ACM International Conference on Software Engineering, Lisbon, Portugal. April 14-20, 2024. [Top] [Core A*, CCF A] [PDF]
[SANER’24] Shuang Li, Rui Li, Yifan Yu, Kailun Yan, Shishuai Yang, and Wenrui Diao (✉️). Understanding Android OS Forward Compatibility Support for Legacy Apps: A Data-Driven Analysis. The 31st IEEE International Conference on Software Analysis, Evolution, and Reengineering, Rovaniemi, Finland. March 12-15, 2024. [Core A, CCF B] [PDF]
[MSN’23] Jianqi Du, Zidong Zhang, Fenghao Xu (✉️), and Wenrui Diao (✉️). Living in the Past: Analyzing BLE IoT Devices Based on Mobile Companion Apps in Old Versions. The 19th International Conference on Mobility, Sensing and Networking, Nanjing, China. December 14-16, 2023. [CCF C]
[APSEC’23] Shishuai Yang, Qinsheng Hou (✉️), Shuang Li, and Wenrui Diao (✉️). Do App Developers Follow the Android Official Data Security Guidelines? The 30th Asia-Pacific Software Engineering Conference, Seoul, Korea. December 4-7, 2023. [Core C, CCF C]
[USENIX-SEC’23] Rui Li, Wenrui Diao (✉️), Shishuai Yang, Xiangyu Liu, Shanqing Guo, and Kehuan Zhang. Lost in Conversion: Exploit Data Structure Conversion with Attribute Loss to Break Android Systems. The 32nd USENIX Security Symposium, Anaheim, CA, USA. August 9-11, 2023. [Top] [Core A*, CCF A] [PDF] [Demo] [CVE-2021-39695, CVE-2022-20392, CVE-2023-20971]
[IEEE TSE] Qinsheng Hou, Wenrui Diao, Yanhao Wang, Chenglin Mao, Lingyun Ying, Song Liu, Xiaofeng Liu, Yuanzhi Li, Shanqing Guo, Meining Nie, and Haixin Duan. Can We Trust the Phone Vendors? Comprehensive Security Measurements on the Android Firmware Ecosystem. IEEE Transactions on Software Engineering, 49(7): 3901-3921, 2023. [Q1, CCF A] [Link] [Code]
[WWW’23] Kailun Yan, Jilian Zhang, Xiangyu Liu, Wenrui Diao (✉️), and Shanqing Guo. Bad Apples: Understanding the Centralized Security Risks in Decentralized Ecosystems. The 32nd ACM Web Conference, Austin, Texas, USA. April 30 - May 4, 2023. [Top] [Core A*, CCF A] [PDF] [Code] [Media Coverage: 山大视点]
[QRS’22] Guangwei Tian, Jiongyi Chen (✉️), Kailun Yan, Shishuai Yang, and Wenrui Diao (✉️). Cast Away: On the Security of DLNA Deployments in the SmartTV Ecosystem. The 22nd IEEE International Conference on Software Quality, Reliability, and Security, Guangzhou, China. December 5-9, 2022. [Core C, CCF C] [PDF] [CNVD-2022-54667, CNVD-2022-34589]
[SECON’22] Jianqi Du, Fenghao Xu (✉️), Chennan Zhang, Zidong Zhang, Xiaoyin Liu, Pengcheng Ren, Wenrui Diao (✉️), Shanqing Guo, and Kehuan Zhang. Identifying the BLE Misconfigurations of IoT Devices through Companion Mobile Apps. The 19th Annual IEEE International Conference on Sensing, Communication, and Networking, Virtual Conference. September 20-23, 2022. [Core B, CCF B] [PDF]
[WiSec’22] Chennan Zhang, Shuang Li, Wenrui Diao (✉️), and Shanqing Guo. PITracker: Detecting Android PendingIntent Vulnerabilities through Intent Flow Analysis. The 15th ACM Conference on Security and Privacy in Wireless and Mobile Networks, San Antonio, Texas, USA. May 16-19, 2022. [Core B, CCF C] [PDF] [Code] [CNVD-2021-102096, CNVD-2021-100644]
[ICSE’22] Xing Zhang, Jiongyi Chen, Chao Feng, Ruilin Li, Wenrui Diao, Kehuan Zhang, Jing Lei, and Chaojing Tang. DeFault: Mutual Information-based Crash Triage for Massive Crashes. The 44th IEEE/ACM International Conference on Software Engineering, Pittsburgh, PA, USA. May 21-29, 2022. [Top] [Core A*, CCF A] [PDF]
[ICSE’22] Qinsheng Hou, Wenrui Diao, Yanhao Wang, Xiaofeng Liu, Song Liu, Lingyun Ying, Shanqing Guo, Yuanzhi Li, Meining Nie, and Haixin Duan. Large-scale Security Measurements on the Android Firmware Ecosystem. The 44th IEEE/ACM International Conference on Software Engineering, Pittsburgh, PA, USA. May 21-29, 2022. [Top] [Core A*, CCF A] [PDF] [Code]
[ICSE’22] Shishuai Yang, Rui Li, Jiongyi Chen, Wenrui Diao (✉️), and Shanqing Guo. Demystifying Android Non-SDK APIs: Measurement and Understanding. The 44th IEEE/ACM International Conference on Software Engineering, Pittsburgh, PA, USA. May 21-29, 2022. [Top] [Core A*, CCF A] [PDF]
[IEEE TSE] Rui Li, Wenrui Diao (✉️), Zhou Li, Shishuai Yang, Shuang Li, and Shanqing Guo. Android Custom Permissions Demystified: A Comprehensive Security Evaluation. IEEE Transactions on Software Engineering, 48(11): 4465-4484, 2022. [Q1, CCF A] [PDF] [Code]
[ICPADS’21] Jin Zhang, Chennan Zhang, Xiangyu Liu, Yuncheng Wang, Wenrui Diao (✉️), and Shanqing Guo. ShadowDroid: Practical Black-box Attack against ML-based Android Malware Detection. The 27th IEEE International Conference on Parallel and Distributed Systems, Beijing, China. December 14-16, 2021. [Core B, CCF C] [PDF]
[CCS’21] Fenghao Xu, Siyu Shen, Wenrui Diao, Zhou Li, Yi Chen, Rui Li, and Kehuan Zhang. Android on PC: On the Security of End-user Android Emulators. The 28th ACM Conference on Computer and Communications Security, Seoul, South Korea. November 15-19, 2021. [Top] [Core A*, CCF A] [PDF] [Demo]
[IEEE S&P’21] Rui Li, Wenrui Diao (✉️), Zhou Li, Jianqi Du, and Shanqing Guo. Android Custom Permissions Demystified: From Privilege Escalation to Design Shortcomings. The 42nd IEEE Symposium on Security and Privacy, San Francisco, CA, USA. May 23-27, 2021. [Top] [Core A*, CCF A] [PDF] [Code] [Demo] [CVE-2020-0418, CVE-2021-0306, CVE-2021-0307, CVE-2021-0317]
[WiSec’20] Zicheng Zhang, Wenrui Diao (✉️), Chengyu Hu, Shanqing Guo (✉️), Chaoshun Zuo, and Li Li. An Empirical Study of Potentially Malicious Third-Party Libraries in Android Apps. The 13th ACM Conference on Security and Privacy in Wireless and Mobile Networks, Linz, Austria. July 8-10, 2020. [Core B, CCF C] [PDF]
[RAID’19] Wenrui Diao, Yue Zhang, Li Zhang, Zhou Li, Fenghao Xu, Xiaorui Pan, Xiangyu Liu, Jian Weng, Kehuan Zhang, and XiaoFeng Wang. Kindness is a Risky Business: On the Usage of the Accessibility APIs in Android. The 22nd International Symposium on Research in Attacks, Intrusions and Defenses, Beijing, China. September 23-25, 2019. [Core A, CCF B] [PDF] [Demo]
[RAID’19] Li Zhang, Jiongyi Chen, Wenrui Diao (✉️), Shanqing Guo, Jian Weng, and Kehuan Zhang. CryptoREX: Large-scale Analysis of Cryptographic Misuse in IoT Devices. The 22nd International Symposium on Research in Attacks, Intrusions and Defenses, Beijing, China. September 23-25, 2019. [Core A, CCF B] [PDF] [Code]
[DSN’19] Jiongyi Chen, Chaoshun Zuo, Wenrui Diao, Shuaike Dong, Qingchuan Zhao, Menghan Sun, Zhiqiang Lin, Yinqian Zhang, and Kehuan Zhang. Your IoTs Are (Not) Mine: On the Remote Binding Between IoT Devices and Users. The 49th IEEE/IFIP International Conference on Dependable Systems and Networks, Portland, OR, USA. June 24-27, 2019. [Core A, CCF B] [PDF]
[NDSS’19] Fenghao Xu, Wenrui Diao, Zhou Li, Jiongyi Chen, and Kehuan Zhang. BadBluetooth: Breaking Android Security Mechanisms via Malicious Bluetooth Peripherals. The 26th Annual Network and Distributed System Security Symposium, San Diego, CA, USA. February 24-27, 2019. [Top] [Core A*, CCF A] [PDF] [Demo] [CVE-2019-2225]
[ICSME’18] Chao Chen, Wenrui Diao (✉️), Yingpei Zeng, Shanqing Guo (✉️), and Chengyu Hu. DRLgencert: Deep Learning-based Automated Testing of Certificate Verification in SSL/TLS Implementations. The 34th IEEE International Conference on Software Maintenance and Evolution, Madrid, Spain. September 23-29, 2018. [Core A, CCF B] [PDF]
[SecureComm’18] Shuaike Dong, Menghao Li, Wenrui Diao, Xiangyu Liu, Jian Liu, Zhou Li, Fenghao Xu, Kai Chen, XiaoFeng Wang, and Kehuan Zhang. Understanding Android Obfuscation Techniques: A Large-Scale Investigation in the Wild. The 14th EAI International Conference on Security and Privacy in Communication Networks, Singapore. August 8-10, 2018. [Core C, CCF C] [PDF]
[JCS] Wenrui Diao (✉️), Rui Liu, Xiangyu Liu, Zhe Zhou, Zhou Li, and Kehuan Zhang. Accessing Mobile User’s Privacy Based on IME Personalization: Understanding and Practical Attacks. Journal of Computer Security. vol. 26, no. 3, pp. 283-309, 2018. [Q3, CCF B] [Link]
[DSN’18] Jia Chen, Ge Han, Shanqing Guo, and Wenrui Diao. FragDroid: Automated User Interface Interaction with Activity and Fragment Analysis in Android Applications. The 48th IEEE/IFIP International Conference on Dependable Systems and Networks, Luxembourg City, Luxembourg. June 23-28, 2018. [Core A, CCF B] [PDF]
[NDSS’18] Jiongyi Chen, Wenrui Diao, Qingchuan Zhao, Chaoshun Zuo, Zhiqiang Lin, XiaoFeng Wang, Wing Cheong Lau, Menghan Sun, Ronghai Yang, and Kehuan Zhang. IoTFuzzer: Discovering Memory Corruptions in IoT Through App-based Fuzzing. The 25th Annual Network and Distributed System Security Symposium, San Diego, CA, USA. February 18-21, 2018. [Top] [Core A*, CCF A] [PDF]
[PETS’17] Zhe Zhou, Wenrui Diao, Xiangyu Liu, Zhou Li, Kehuan Zhang, and Rui Liu. Vulnerable GPU Memory Management: Towards Recovering Raw Data from GPU. The 17th Privacy Enhancing Technologies Symposium, Minneapolis, MN, USA. July 19-22, 2017. [Core A, CCF C]
[Preprint] Nan Zhang, Soteris Demetriou, Xianghang Mi, Wenrui Diao, Kan Yuan, Peiyuan Zong, Feng Qian, XiaoFeng Wang, Kai Chen, Yuan Tian, Carl A. Gunter, Kehuan Zhang, Patrick Tague, and Yue-Hsun Lin. Understanding IoT Security Through the Data Crystal Ball: Where We Are Now and Where We Are Going to Be. arXiv Preprint, CoRR abs1703.09809/. 2017. [PDF]
[WiSec’16] Wenrui Diao, Xiangyu Liu, Zhou Li, and Kehuan Zhang. Evading Android Runtime Analysis Through Detecting Programmed Interactions. The 9th ACM Conference on Security and Privacy in Wireless and Mobile Networks, Darmstadt, Germany. July 18-20, 2016. [Core B, CCF C] [PDF]
[IEEE S&P’16] Wenrui Diao, Xiangyu Liu, Zhou Li, and Kehuan Zhang. No Pardon for the Interruption: New Inference Attacks on Android Through Interrupt Timing Analysis. The 37th IEEE Symposium on Security and Privacy, San Jose, CA, USA. May 23-25, 2016. [Top] [Core A*, CCF A] [PDF]
[CCS’15] Xiangyu Liu, Zhe Zhou, Wenrui Diao, Zhou Li, and Kehuan Zhang. When Good Becomes Evil: Keystroke Inference with Smartwatch. The 22nd ACM Conference on Computer and Communications Security, Denver, CO, USA. October 12-16, 2015. [Top] [Core A*, CCF A] [PDF]
[ESORICS’15] Wenrui Diao, Xiangyu Liu, Zhe Zhou, Kehuan Zhang, and Zhou Li. Mind-Reading: Privacy Attacks Exploiting Cross-App KeyEvent Injections. The 20th European Symposium on Research in Computer Security, Vienna, Austria. September 21-25, 2015. [Core A, CCF B] [PDF] [Demo]
[IFIP SEC’15] Xiangyu Liu, Zhe Zhou, Wenrui Diao, Zhou Li, and Kehuan Zhang. An Empirical Study on Android for Saving Non-shared Data on Public Storage. The 30th IFIP International Information Security and Privacy Conference, Hamburg, Germany. May 26-28, 2015. [Core B, CCF C]
[SPSM’14] Wenrui Diao, Xiangyu Liu, Zhe Zhou, and Kehuan Zhang. Your Voice Assistant is Mine: How to Abuse Speakers to Steal Information and Control Your Phone. The 4th Annual ACM CCS Workshop on Security and Privacy in Smartphones and Mobile Devices, Scottsdale, AZ, USA. November 7, 2014. [PDF] [Demo] [Media Coverage: IBTimes, Help Net Security, Tom's Guide, The Register, Ta Kung Pao (大公報), Ming Pao (明報), Oriental Daily (東方日報)]
[CCS’14] Zhe Zhou, Wenrui Diao, Xiangyu Liu, and Kehuan Zhang. Acoustic Fingerprinting Revisited: Generate Stable Device ID Stealthily with Inaudible Sound. The 21st ACM Conference on Computer and Communications Security, Scottsdale, AZ, USA. November 3-7, 2014. [Top] [Core A*, CCF A] [PDF]