Dr. Xiaohan Zhang

I am a Pre-tenure Associate Professor of Fudan University, where I obtained my B.Eng and Ph.D under the supervision of Prof. Min Yang. I currently work at the System Software & Secure Lab.

My research mainly focues on cybersecurity, including mobile application security, malware detection and applied AI security.

I received a Distinguished Paper Award Nomination at ACM CCS 2020 (4/121) and a Distinguished Paper Award at USENIX Security 2022.

I have found hundreds of high-risk vulnerabilities, and one was awarded the 2021 Most Valuable Vulnerability by Chinese National Vulnerability Database (CNVD).

I'm currently looking for students who are interested in cybersecurity. Please contact me through:
    Email: xh_zhang [AT] fudan.edu.cn
    Office: Room D6007, NO.2 Interdisciplinary Building, NO.2005 Songhu Road, Yangpu District, Shanghai

[Background] [Publications] [Awards] [Services] [Teaching] [Students]

News

  • [Aug, 2024] Two papers acceptted to NDSS 2025, Congrats to Xin Zhang and Yizhe Shi!
  • [Jun, 2024] All three master students (2021) have successfully graduated! Congratulations! See where they go.
  • [May, 2023] A white paper on AI security standards, where I am one of the drafters, was published!
  • [Apr, 2023] Our paper on face verification security, named XFVSChecker, was acceptted by IEEE S&P 2023!
  • [Mar, 2023] Yang Wang received offers from CMU and GT. Congrats to her!
  • [Jan, 2023] All four master students (2020) have successfully graduated! Congratulations! See where they go.
  • [Dec, 2022] Our team won 1st prize in China Graduate Network Security Innovation Competition. Congrats to Ziqi Huang, Liang Niu, Zhichen Liu, Haoqi Ye! I received the Excellent Advising Teacher Award.

Background

  • 2023~Present, Fudan University, Pre-tenure Associate Professor
  • 2020~2022, Fudan University, School of Computer Science, PostDoc
  • 2014~2020, Fudan University, School of Computer Science, Ph.D
  • 2010~2014, Fudan University, Software School, B.Eng

Publications

  1. An Empirical Study on Fingerprint API Misuse with Lifecycle Analysis in Real-world Android Apps.
    Xin Zhang, Xiaohan Zhang, Zhichen Liu, Bo Zhao, Zhemin Yang, Min Yang.
    In Proceedings of Network and Distributed System Security Symposium (NDSS), San Diego, 2025. [NDSS 2025], 184 CVE and 19 CNVD IDs [Paper to appear]
  2. The Skeleton Keys: A Large Scale Analysis of Credential Leakage in Mini-apps.
    Yizhe Shi, Zhemin Yang, Kangwei Zhong, Guangliang Yang, Yifan Yang, Xiaohan Zhang, Min Yang.
    In Proceedings of Network and Distributed System Security Symposium (NDSS), San Diego, 2025. [NDSS 2025], 89 CVE IDs [Paper to appear]
  3. Understanding the (In)Security of Cross-side Face Verification Systems in Mobile Apps: A System Perspective.
    Xiaohan Zhang, Haoqi Ye, Ziqi Huang, Xiao Ye, Yinzhi Cao, Yuan Zhang, Min Yang.
    In Proceedings of the 44th IEEE Symposium on Security and Privacy (S&P), San Francisco, CA, May 22-26, 2023. [S&P 2023], 2021 Most Valuable Vulnerability of CNVD [Paper] [Website] [A National Standard] [A White Paper on AI Security Standards] [Thanks Letters]
  4. Slowing Down the Aging of Learning-based Malware Detectors with API Knowledge.
    Xiaohan Zhang, Mi Zhang, Yuan Zhang, Ming Zhong, Xin Zhang, Yinzhi Cao, Min Yang.
    In Transactions on Dependable and Secure Computing, [TDSC 2022] [Paper]
  5. Collect Responsibly but Deliver Arbitrarily? A Study on Cross-User Privacy Leakage in Mobile Apps.
    Shuai Li, Zhemin Yang, Nan Hua, Peng Liu, Xiaohan Zhang, Guangliang Yang, Min Yang.
    In Proceedings of the 29th ACM Conference on Computer and Communications Security, [CCS 2022]
  6. Identity Confusion in WebView-based Mobile App-in-app Ecosystems.
    Lei Zhang, Zhibo Zhang, Ancong Liu, Yinzhi Cao, Xiaohan Zhang, Yanjun Chen, Yuan Zhang, Guangliang Yang, Min Yang.
    In Proceedings of the 31st USENIX Security Symposium (USENIX Security), Boston, MA, USA, August 10-12, 2022. [Security 2022], Distinguished Paper Award [Paper]
  7. Enhancing State-of-the-art Classifiers with API Semantics to Detect Evolved Android Malware.
    Xiaohan Zhang, Yuan Zhang, Ming Zhong, Daizong Ding, Yinzhi Cao, Yukun Zhang, Mi Zhang, Min Yang.
    In Proceedings of the 27th ACM Conference on Computer and Communications Security, Orlando, USA, November 9-13, 2020, [CCS 2020], Distinguished Paper Award Nomination (4/121) [Paper] [Website] [AR: 16.9%=121/715]
  8. PDiff: Semantic-based Patch Presence Testing for Downstream Kernels.
    Zheyue Jiang, Yuan Zhang, Jun Xu, Qi Wen, Zhenghe Wang, Xiaohan Zhang, Xinyu Xing, Min Yang, Zhemin Yang.
    In Proceedings of the 27th ACM Conference on Computer and Communications Security, Orlando, USA, November 9-13, 2020, [CCS 2020] [Paper]
  9. BScout: Direct Whole Patch Presence Test for Java Executables.
    Jiarun Dai, Yuan Zhang, Zheyue Jiang, Yingtian Zhou, Junyan Chen, Xinyu Xing, Xiaohan Zhang, Xin Tan, Min Yang, Zhemin Yang.
    In Proceedings of the 29th USENIX Security Symposium, Boston, MA, USA, August 12-14, 2020. [Security 2020] [Paper]
  10. How Android Developers Handle Evolution-induced API Compatibility Issues: A Large-scale Study.
    Hao Xia, Yuan Zhang, Yingtian Zhou, Xiaoting Chen, Yang Wang, Xiangyu Zhang, Shuaishuai Cui, Gen Hong, Xiaohan Zhang, Min Yang, Zhemin Yang.
    In Proceedings of the 42nd International Conference on Software Engineering, Seoul, South Korea, May 23-29, 2020. [ICSE 2020] [Paper]
  11. An Empirical Study of Web Resource Manipulation in Real-world Mobile Applications.
    Xiaohan Zhang, Yuan Zhang, Qianqian Mo, Hao Xia, Zhemin Yang, Min Yang, Xiaofeng Wang, Long Lu, Haixin Duan.
    In Proceedings of the 27th USENIX Security Symposium, Baltimore, USA, August 15-17, 2018. [Security 2018] [Paper] [Dataset] [AR: 16.2%=113/697]
  12. Detecting Third-Party Libraries in Android Applications with High Precision and Recall.
    Yuan Zhang, Jiarun Dai, Xiaohan Zhang, Sirong Huang, Zhemin Yang, Min Yang, Hao Chen.
    In Proceedings of IEEE International Conference on Software Analysis, Evolution and Reengineering, SANER’18, Campobasso, Italy, March 20-23, 2018. [Paper] [Source Code]
Pre-print & Others
  1. Understanding Privacy Over-collection in WeChat Sub-app Ecosystem, 2023 [arXiv]
  2. MiniBot: A Lightweight Dynamic Test Input Generation Framework for Mini-Apps [in Chinese], 2024, Journal of Chinese Computer Systems.

Awards

  • Excellent Instructor of "Huawei Cup" The 1st China Postgraduate Network Security Innovation Competition
  • USENIX Security 2022 Distinguished Paper Award
  • Chinese National Vulnerability Database (CNVD) 2021 Most Valuable Vulnerability
  • CCF 2021 Natural Science Award Second Prize
  • SCS 2021 Natural Science Award First Prize
  • Huawei 2020 Outstanding Technical Achievement Award
  • ACM CCS 2020 Distinguished Papar Nomination

Services

  • Conference (including sub-reviewer)
    • CCS 2018, 2019; EuroS&P 2021; AisaCCS 2021; CODASPY 2021; SecureComm 2020, 2023
  • Journal (including sub-reviewer)
    • TOPS 2024; JCST 2023; TDSC 2020; TMC 2021; COSE 2019, 2020, 2021; JCRD 2021

Teaching

  • Foundations of Deep Learning, 24'fall
  • System Security, 24'fall
  • Advanced Attack and Defense Techniques, 24'Spring
  • Principles of Reverse Engineering, 2018, TA

Students

  • Current
    • 2024: Huijun Zhou, Xihua Shen, Yutao Shi, Yujia Ma, Yi Xu, Yuanhao Li
    • 2023: Hui Ouyang (PhD Student), Xike Hu (PhD Student), Hangyun Tang (PhD Student), Shuhao Cai, Jianzhou Chen, Bo Zhao, Yuhan Gu
    • 2022: Xin Zhang (PhD Student) [NDSS'25], Zhichen Liu, Xinyu Cong, Liang Niu
  • 2021
  • 2020
  • 2019
    • Ming Zhong [CCS'20], Ant Group
    • Ruiqi Deng, Meituan
  • 2018 Co-advised
    • Rui He, Tencent

Contact: xh_zhang [AT] fudan.edu.cn