Qinsheng Hou (侯勤胜)

About me

I am an Assistant Researcher at Shanghai Jiao Tong University. I received my Ph.D. degree from Shandong University, advised by Prof. Shanqing Guo and Prof. Haixin Duan. I ever worked/interned at Alibaba Group, QI-ANXIN Technology Research Institute, JD.com and ISCAS. My research interests are primarily in AI for Security, Mobile Security, Software Supply Chain Security, and IoT Security.

Publications

2025

1. [USENIX Security’25] Xiaofeng Liu, Chaoshun Zuo, Qinsheng Hou, Pengcheng Ren, Jianliang Wu, Qingchuan Zhao, Shanqing Guo. A Thorough Security Analysis of BLE Proximity Tracking Protocols. The 34th USENIX Security Symposium, Seattle, WA, USA. August 13–15, 2025. [Top] [Core A*, CCF A]
2. [EMSE] Shishuai Yang, Qinsheng Hou, Shuang Li, Fenghao Xu, and Wenrui Diao. From Guidelines to Practice: Assessing Android App Developer Compliance with Google’s Security Recommendations. Empirical Software Engineering, 30 (11): 1-33, 2025. [Q1, CCF B] [Link]

2024

1. [TrustCom’24] Yifan Yu, Ruoyan Lin, Shuang Li, Qinsheng Hou, and Wenrui Diao. Security Assessment of Customizations in Android Smartwatch Firmware. The 23rd IEEE International Conference on Trust, Security and Privacy in Computing and Communications, Sanya, China. December 17-21, 2024. [Core B, CCF C]
2. [ASE’24] Zifan Xie, Ming Wen, Tinghan Li, Yiding Zhu, Qinsheng Hou, and Hai Jin. How Does Code Optimization Impact Third-party Library Detection for Android Applications. The 39th IEEE/ACM International Conference on Automated Software Engineering, Sacramento, California, USA. October 27-November 1, 2024. [Top] [Core A*, CCF A] [PDF] [Code] [ACM SIGSOFT Distinguished Paper Awards]
3. [CCS’24] Zidong Zhang, Qinsheng Hou, Lingyun Ying, Wenrui Diao, Yacong Gu, Rui Li, Shanqing Guo, and Haixin Duan. MiniCAT: Understanding and Detecting Cross-Page Request Forgery Vulnerabilities in Mini-Programs. The 31st ACM Conference on Computer and Communications Security, Salt Lake City, UT, USA. October 14-18, 2024. [Top] [Core A*, CCF A] [PDF] [Code] [Demo] [QAX]
4. [WWW’24] Xiaoyin Liu, Wenzhi Li, Qinsheng Hou, Shishuai Yang, Lingyun Ying, Wenrui Diao, Yanan Li, Shanqing Guo, and Haixin Duan. From Promises to Practice: Evaluating the Private Browsing Modes of Android Browser Apps. The 33rd ACM Web Conference, Singapore. May 13-17, 2024. [Top] [Core A*, CCF A] [PDF] [QAX]

2023

1. [APSEC’23] Shishuai Yang, Qinsheng Hou (✉️), Shuang Li, and Wenrui Diao (✉️). Do App Developers Follow the Android Official Security Guidelines? The 30th Asia-Pacific Software Engineering Conference, Seoul, Korea. December 4-7, 2023. [Core C, CCF C] [Conference]
2. [IEEE TDSC] Libo Chen, Yanhao Wang, Jiaqi Linghu, Qinsheng Hou, Quanpu Cai, Shanqing Guo, and Zhi Xue. SaTC: Shared-Keyword Aware Taint Checking for Detecting Bugs in Embedded Systems. IEEE Transactions on Dependable and Secure Computing, Early Access, 2023. [Q1, CCF A] [Journal]
3. [IEEE TSE] Qinsheng Hou, Wenrui Diao, Yanhao Wang, Chenglin Mao, Lingyun Ying, Song Liu, Xiaofeng Liu, Yuanzhi Li, Shanqing Guo, Meining Nie, and Haixin Duan. Can We Trust the Phone Vendors? Comprehensive Security Measurements on the Android Firmware Ecosystem. IEEE Transactions on Software Engineering, 49(7): 3901-3921, 2023. [Q1, CCF A] [Journal]

2022

1. [Euro S&P’22] Huikai Xu, Miao Yu, Yanhao Wang, Yue Liu, Qinsheng Hou, Zhenbang Ma, Haixin Duan, Jianwei Zhuge, and Baojun Liu. Trampoline Over the Air: Breaking in IoT Devices Through MQTT Brokers. The 7th IEEE European Symposium on Security and Privacy, Genoa, Italy. June 6-10, 2022. [CCF C] [PDF] [QAX] [Gossip]
2. [ICSE’22] Qinsheng Hou, Wenrui Diao, Yanhao Wang, Xiaofeng Liu, Song Liu, Lingyun Ying, Shanqing Guo, Yuanzhi Li, Meining Nie, and Haixin Duan. Large-scale Security Measurements on the Android Firmware Ecosystem. The 44th IEEE/ACM International Conference on Software Engineering, Pittsburgh, PA, USA. May 21-29, 2022. [Top] [Core A*, CCF A] [PDF] [Conference] [QAX] [Gossip]

2021

1. [USENIX Security’21] Libo Chen, Yanhao Wang, Quanpu Cai, Yunfan Zhan, Hong Hu, Jiaqi Linghu, Qinsheng Hou, Chao Zhang, Haixin Duan, and Zhi Xue. Sharing More and Checking Less: Leveraging Common Input Keywords to Detect Bugs in Embedded Systems. The 30th USENIX Security Symposium, Virtual. August 11-13, 2021. [Top] [Core A*, CCF A] [PDF] [Conference] [Gossip] [SJTU] [Code]

2020

1. [ASIA CCS’20] Qinsheng Hou, Yao Cheng, and Lingyun Ying. NativeX: Native Executioner Freezes Android. The 15th ACM Asia Conference on Computer and Communications Security, Taipei, Taiwan, October 5-9, 2020. [Core B, CCF C] [PDF] [Conference] [QAX] [Gossip]

Projects and Competitions

• DataCon 2024 大数据安全分析竞赛
  • 漏洞分析赛道：第4名
• DataCon 2023 大数据安全分析竞赛
  • 软件安全赛道：季军
• 天穹Android沙箱
  • Android 12 ARM, Android 9 x86, Android 7.1 x86, Android 4.1 ARM
  • 沙箱使用链接, 介绍文档
• DataCon 2022 大数据安全分析竞赛
  • 软件安全赛道: Android APP组成成分分析 (出题人)
• 天府杯 2021 国际网络安全大赛
  • 原创漏洞复现赛: 摄像头 & 汽车破解项目
• GeekPwn 2020 新基建安全大赛
  • 优胜奖: 植保无人机劫持项目 (最高单项奖金)

Talks

• 软件供应链生态安全实践
  • Apr 2023: DataCon特训夏令营 – 系统与软件安全专题
• Android固件生态的大规模安全测量
  • Aug 2021: 3rd International Workshop on Cyber Security and Data Privacy
  • Aug 2021: 2021 北京网络安全大会
• 基于Native Code的Android系统Dos攻击分析
  • May 2021: Nankai University, Tianjin, China
  • Apr 2021: Southeast University, Nanjing, China
  • Dec 2020: Shandong University, Qingdao, China
• NativeX: Native Executioner Freezes Android
  • Apr 2020: Tsinghua University, Beijing, China

Vulnerabilities and Acknowledgments

• Acknowledgments (厂商致谢)
  • Huawei, Lenovo, Vivo1, Vivo2, ZTE
• CVE (8)
  • 2023: CVE-2023-27163, CVE-2023-27161, CVE-2023-27159
  • 2021: CVE-2021-22486, CVE-2021-26281, CVE-2021-26279, CVE-2021-21742, CVE-2021-3720
• CNVD (52)
  • 2024: CNVD-2024-47653, CNVD-2024-47652, CNVD-2024-47651, CNVD-2024-47650, CNVD-2024-47649, CNVD-2024-47648, CNVD-2024-47647, CNVD-2024-45115, CNVD-2024-05527
  • 2023: CNVD-2023-75837, CNVD-2023-75836, CNVD-2023-60618, CNVD-2023-59491, CNVD-2023-59021, CNVD-2023-52831, CNVD-2023-52830, CNVD-2023-37621, CNVD-2023-30405, CNVD-2023-27536, CNVD-2023-27535, CNVD-2023-27534
  • 2021: CNVD-2021-67925, CNVD-2021-50158, CNVD-2021-42966, CNVD-2021-42949, CNVD-2021-44383, CNVD-2021-44382, CNVD-2021-48937, CNVD-2021-50157, CNVD-2021-42965, CNVD-2021-42964, CNVD-2021-42963, CNVD-2021-46708, CNVD-2021-48955, CNVD-2021-40258, CNVD-2021-37375, CNVD-2021-41512, CNVD-2021-40261, CNVD-2021-40262, CNVD-2021-37377, CNVD-2021-44691, CNVD-2021-40254, CNVD-2021-40255, CNVD-2021-40721, CNVD-2021-40259, CNVD-2021-41513, CNVD-2021-40256, CNVD-2021-40257, CNVD-2021-67925
  • 2020: CNVD-2020-33098, CNVD-2020-38456, CNVD-2020-28792
• SVE (5)
  • 2022: SVE-2022-1176, SVE-2022-1177, SVE-2022-1178, SVE-2022-1179, SVE-2022-1180

Patents

• 侯勤胜, 应凌云, 聂眉宁. 一种对应用程序进行测试的方法及装置, 发明专利, 2023, 专利号: ZL201910489985.1
• 侯勤胜, 应凌云, 聂眉宁. 一种阻止基于原生代码攻击操作系统的方法及装置, 发明专利, 2021, 专利号: ZL201910489983.2

Services

• Reviewer

  • SecureComm 2023

• External Reviewer

  • ISSRE 2022
  • ESORICS 2020