Xiaohan Zhang

Dr. Xiaohan Zhang

Pre-tenure Associate Professor · Fudan University

I work at the System Software & Security Lab, Fudan University. My research focuses on cybersecurity, including mobile application security, malware detection, and applied AI security. I obtained my B.Eng and Ph.D. at Fudan University under the supervision of Prof. Min Yang.

I have published papers as (co-)first author at the "Big Four" security venues, and received the NDSS 2025 Distinguished Paper Award, the USENIX Security 2022 Distinguished Paper Award, the USENIX Security 2025 Honorable Mention Award, and a CCS 2020 Distinguished Paper Award Nomination. My work on face verification security won the CNVD 2021 Most Valuable Vulnerability from the Chinese National Vulnerability Database.

I am always looking for highly-motivated undergraduate students interested in cybersecurity. Feel free to reach out at xh_zhang [AT] fudan.edu.cn.

News

Background

Publications

Xiaohan Zhang is highlighted in bold; ✉ denotes corresponding author; ★ marks co-first author.

2026

  1. Anchors of Trust: A Usability Study on User Awareness, Consent, and Control in Cross-Device Authentication.
    Xin Zhang, Xiaohan Zhang✉, Huijun Zhou, Bo Zhao.
    In Proceedings of the Network and Distributed System Security Symposium (NDSS 2026), San Diego.
  2. SEW: Strengthening Robustness of Black-box DNN Watermarking via Specificity Enhancement.
    Huming Qiu, Mi Zhang, Junjie Sun, Peiyi Chen, Xiaohan Zhang, Min Yang.
    The SIGKDD Conference on Knowledge Discovery and Data Mining (KDD 2026), Jeju, Korea.
  3. 3D-ANC: Adaptive Neural Collapse for Robust 3D Point Cloud Recognition.
    Yuanmin Huang, Wenxuan Li, Mi Zhang, Xiaohan Zhang, Xiaoyu You, Min Yang.
    The 40th AAAI Conference on Artificial Intelligence (AAAI 2026).

2025

  1. The Future Unmarked: Watermark Removal in AI-Generated Images via Next-Frame Prediction.
    Huming Qiu, Zhaoxiang Wang, Mi Zhang, Xiaohan Zhang, Xiaoyu You, Min Yang.
    The 39th Annual Conference on Neural Information Processing Systems (NeurIPS 2025).
  2. Demystifying the (In)Security of QR Code-based Login in Real-world Deployments.
    Xin Zhang, Xiaohan Zhang, Bo Zhao, Yuhong Nan, Zhichen Liu, Jianzhou Chen, Huijun Zhou, Min Yang.
    In Proceedings of the 34th USENIX Security Symposium (USENIX Security 2025), Seattle, WA, USA.
    USENIX Security 2025 Honorable Mention Award 17 CNVD & 25 NVDB IDs CAPPVD 2024 Outstanding Cases
    Paper
  3. An Empirical Study on Fingerprint API Misuse with Lifecycle Analysis in Real-world Android Apps.
    Xin Zhang★, Xiaohan Zhang★, Zhichen Liu, Bo Zhao, Zhemin Yang, Min Yang.
    In Proceedings of the Network and Distributed System Security Symposium (NDSS 2025), San Diego.
    NDSS 2025 Distinguished Paper Award 184 CVE & 19 CNVD IDs
    Paper
  4. The Skeleton Keys: A Large Scale Analysis of Credential Leakage in Mini-apps.
    Yizhe Shi, Zhemin Yang, Kangwei Zhong, Guangliang Yang, Yifan Yang, Xiaohan Zhang, Min Yang.
    In Proceedings of the Network and Distributed System Security Symposium (NDSS 2025), San Diego.
    89 CVE IDs
    Paper

2023

  1. Understanding the (In)Security of Cross-side Face Verification Systems in Mobile Apps: A System Perspective.
    Xiaohan Zhang, Haoqi Ye, Ziqi Huang, Xiao Ye, Yinzhi Cao, Yuan Zhang, Min Yang.
    In Proceedings of the 44th IEEE Symposium on Security and Privacy (S&P 2023), San Francisco, CA.
    CNVD 2021 Most Valuable Vulnerability
    Paper Website National Standard White Paper

2022

  1. Slowing Down the Aging of Learning-based Malware Detectors with API Knowledge.
    Xiaohan Zhang, Mi Zhang, Yuan Zhang, Ming Zhong, Xin Zhang, Yinzhi Cao, Min Yang.
    IEEE Transactions on Dependable and Secure Computing (TDSC 2022).
    Paper
  2. Collect Responsibly but Deliver Arbitrarily? A Study on Cross-User Privacy Leakage in Mobile Apps.
    Shuai Li, Zhemin Yang, Nan Hua, Peng Liu, Xiaohan Zhang, Guangliang Yang, Min Yang.
    In Proceedings of the 29th ACM Conference on Computer and Communications Security (CCS 2022).
  3. Identity Confusion in WebView-based Mobile App-in-app Ecosystems.
    Lei Zhang, Zhibo Zhang, Ancong Liu, Yinzhi Cao, Xiaohan Zhang, Yanjun Chen, Yuan Zhang, Guangliang Yang, Min Yang.
    In Proceedings of the 31st USENIX Security Symposium (USENIX Security 2022), Boston, MA.
    USENIX Security 2022 Distinguished Paper Award
    Paper

2020

  1. Enhancing State-of-the-art Classifiers with API Semantics to Detect Evolved Android Malware.
    Xiaohan Zhang, Yuan Zhang, Ming Zhong, Daizong Ding, Yinzhi Cao, Yukun Zhang, Mi Zhang, Min Yang.
    In Proceedings of the 27th ACM Conference on Computer and Communications Security (CCS 2020), Orlando, USA.
    ACM CCS 2020 Distinguished Paper Award Nomination (4/121) AR: 16.9% (121/715)
    Paper Website
  2. PDiff: Semantic-based Patch Presence Testing for Downstream Kernels.
    Zheyue Jiang, Yuan Zhang, Jun Xu, Qi Wen, Zhenghe Wang, Xiaohan Zhang, Xinyu Xing, Min Yang, Zhemin Yang.
    In Proceedings of the 27th ACM Conference on Computer and Communications Security (CCS 2020), Orlando, USA.
    Paper
  3. BScout: Direct Whole Patch Presence Test for Java Executables.
    Jiarun Dai, Yuan Zhang, Zheyue Jiang, Yingtian Zhou, Junyan Chen, Xinyu Xing, Xiaohan Zhang, Xin Tan, Min Yang, Zhemin Yang.
    In Proceedings of the 29th USENIX Security Symposium (USENIX Security 2020), Boston, MA.
    Paper
  4. How Android Developers Handle Evolution-induced API Compatibility Issues: A Large-scale Study.
    Hao Xia, Yuan Zhang, Yingtian Zhou, Xiaoting Chen, Yang Wang, Xiangyu Zhang, Shuaishuai Cui, Gen Hong, Xiaohan Zhang, Min Yang, Zhemin Yang.
    In Proceedings of the 42nd International Conference on Software Engineering (ICSE 2020), Seoul, South Korea.
    Paper

2018

  1. An Empirical Study of Web Resource Manipulation in Real-world Mobile Applications.
    Xiaohan Zhang, Yuan Zhang, Qianqian Mo, Hao Xia, Zhemin Yang, Min Yang, Xiaofeng Wang, Long Lu, Haixin Duan.
    In Proceedings of the 27th USENIX Security Symposium (USENIX Security 2018), Baltimore, USA.
    AR: 16.2% (113/697)
    Paper Dataset
  2. Detecting Third-Party Libraries in Android Applications with High Precision and Recall.
    Yuan Zhang, Jiarun Dai, Xiaohan Zhang, Sirong Huang, Zhemin Yang, Min Yang, Hao Chen.
    In Proceedings of IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER 2018), Campobasso, Italy.
    Paper Source Code
Pre-prints & Others
  1. Understanding Privacy Over-collection in WeChat Sub-app Ecosystem.
    2023.
    arXiv
  2. MiniBot: A Lightweight Dynamic Test Input Generation Framework for Mini-Apps [in Chinese].
    2024, Journal of Chinese Computer Systems.

Awards

Gold Award — App Security Track, Digital China Innovation Contest (DCIC 2025)
CAPPVD 2024 Outstanding Cases of Mobile App Vulnerability Management
NDSS 2025 Distinguished Paper Award
USENIX Security 2025 Honorable Mention Award
Excellent Instructor — "Huawei Cup" 1st China Postgraduate Network Security Innovation Competition
USENIX Security 2022 Distinguished Paper Award
CNVD 2021 Most Valuable Vulnerability
CCF 2021 Natural Science Award, Second Prize
SCS 2021 Natural Science Award, First Prize
Huawei 2020 Outstanding Technical Achievement Award
ACM CCS 2020 Distinguished Paper Award Nomination

Services

Conference Reviewer

CCS 2018, 2019 · EuroS&P 2021 · AsiaCCS 2021 · CODASPY 2021 · SecureComm 2020, 2023

Journal Reviewer

TOPS 2024 · JCST 2023 · TDSC 2020 · TMC 2021 · COSE 2019, 2020, 2021 · JCRD 2021

Teaching

Students

Current

  • 2026: Hongyuan Pan PhD, Shaoyu Tang, Yanqi Sun
  • 2025: Xiangjing Zhang, Haozhe Zhang, Wenjie Yang
  • 2024: Huijun Zhou, Xihua Shen, Yutao Shi, Yujia Ma [Tencent Project & Internship]
  • 2022: Xin Zhang PhD NDSS'25 Security'25 NDSS'26

2023 — Graduated

  • Jianzhou Chen → CUHK
  • Bo Zhao → Gov
  • Yuhan Gu → Xiaohongshu

2022 — Graduated

2021 — Graduated

2020 — Graduated

2019 — Graduated

  • Ming Zhong CCS'20 → Ant Group
  • Ruiqi Deng → Meituan

2018 — Co-advised

  • Rui He → Tencent