research-article

Pride and Prejudice in Progressive Web Apps: Abusing Native App-like Features in Web Applications

Authors:

Sooel SonAuthors Info & Claims

CCS '18: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security

Pages 1731 - 1746

https://doi.org/10.1145/3243734.3243867

Published: 15 October 2018 Publication History

Abstract

Progressive Web App (PWA) is a new generation of Web application designed to provide native app-like browsing experiences even when a browser is offline. PWAs make full use of new HTML5 features which include push notification, cache, and service worker to provide short-latency and rich Web browsing experiences. We conduct the first systematic study of the security and privacy aspects unique to PWAs. We identify security flaws in main browsers as well as design flaws in popular third-party push services, that exacerbate the phishing risk. We introduce a new side-channel attack that infers the victim's history of visited PWAs. The proposed attack exploits the offline browsing feature of PWAs using a cache. We demonstrate a cryptocurrency mining attack which abuses service workers. Defenses and recommendations to mitigate the identified security and privacy risks are suggested with in-depth understanding.

References

[1]

G. Acar, C. Eubank, S. Englehardt, M. Juarez, A. Narayanan, and C. Diaz. 2014. The Web Never Forgets: Persistent Tracking Mechanisms in the Wild. In ACM Conference on Computer and Communications Security. ACM.

Digital Library

[2]

Urban Airship. 2009. https://www.urbanairship.com/ Retrieved April 25, 2018 from

[3]

A. Barth, C. Jackson, and J. Mitchell. 2008. Securing Frame Communications in Browsers. In USENIX Security Symposium. USENIX Association.

Digital Library

[4]

A. Biørn-Hansen, T. Majchrzak, and T. Grønli. 2017. Progressive Web Apps: the Possible Web-native Unifier for Mobile Development. In International Conference on Web Information Systems and Technologies.

[5]

Bugzilla. 2015. Iframe Onload Event Does Not Fire. https://bugzilla.mozilla.org/show_bug.cgi?id=444165 Retrieved April 28, 2018 from

[6]

P. Chapman and D. Evans. 2011. Automated Black-box Detection of Side-channel Vulnerabilities in Web Applications. In ACM Conference on Computer and Communications Security. ACM.

Digital Library

[7]

S. Chen, R. Wang, X. Wang, and K. Zhang. 2010. Side-Channel Leaks in Web Applications: A Reality Today, a Challenge Tomorrow. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE Computer Society.

Digital Library

[8]

Chromium. 2014. Javascript Iframe Onerror Event. https://bugs.chromium.org/p/chromium/issues/detail?id=365457 Retrieved April 28, 2018 from

[9]

Coinhive. 2018. Coinhive -- Monero JavaScript Mining. https://coinhive.com/

[10]

M. Cova, C. Kruegel, and G. Vigna. 2008. There is No Free Phish: An Analysis of "Free" and Live Phishing Kits. In Proceedings of the Conference on USENIX Workshop on Offensive Technologies. USENIX Association.

Digital Library

[11]

Apple Developer. 2016. Apple Certificates Support. https://developer.apple.com/support/certificates/ Retrieved May 9, 2018 from

[12]

Chrome Developer. 2018. Chrome Extentions - Content Settings. https://developer.chrome.com/extensions/contentSettings#type-ContentSetting Retrieved Auguest 14, 2018 from

[13]

Google Developers. 2016. AliExpress. https://developers.google.com/web/showcase/2016/aliexpress Retrieved May 1, 2018 from

[14]

Google Developers. 2016. Flipkart Triples Time-on-site with Progressive Web App. https://developers.google.com/web/showcase/2016/flipkart Retrieved May 1, 2018 from

[15]

Google Developers. 2016. Introduction to Progressive Web Apps. https://codelabs.developers.google.com/pwa-dev-summit Retrieved May 9, 2018 from

[16]

Google Developers. 2016. Mythbusting HTTPS. http://www.codechannels.com/video/Chrome/chrome/mythbusting-https-progressive-web-app-summit-2016/ Retrieved April 25, 2018 from

[17]

Google Developers. 2018. Introduction to Push Notifications. https://developers.google.com/web/ilt/pwa/introduction-to-push-notifications Retrieved May 9, 2018 from

[18]

Google Developers. 2018. PWA Case Studies. https://developers.google.com/web/showcase Retrieved April 26, 2018 from

[19]

Google Developers. 2018. Web Push Protocol. https://developers.google.com/web/fundamentals/push-notifications/web-push-protocol Retrieved May 9, 2018 from

[20]

R. Dhamija, J. Tygar, and M. Hearst. 2006. Why Phishing Works. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. ACM.

Digital Library

[21]

Chromium Documents. 2018. Do Service Workers live forever? https://github.com/chromium/chromium/blob/master/docs/security/service-worker-security-faq.md#do-service-workers-live-forever Retrieved Auguest 14, 2018 from

[22]

E. Felten and M. Schneider. 2000. Timing Attacks on Web Privacy. In ACM Conference on Computer and Communications Security. ACM.

Digital Library

[23]

D. Florencio and C. Herley. 2006. Password Rescue: A New Approach to Phishing Prevention. In 1st USENIX Workshop on Hot Topics in Security. USENIX Association.

Digital Library

[24]

Linux Foundation. 2018. Let's Encrypt. https://letsencrypt.org/ Retrieved April 25, 2018 from

[25]

FoxPush. 2016. https://www.foxpush.com/ Retrieved April 25, 2018 from

[26]

T.V. Goethem, M. Vanhoef, F. Piessens, and W. Joosen. 2016. Request and Conquer: Exposing Cross-Origin Resource Size. In USENIX Security Symposium. USENIX Association.

Digital Library

[27]

Google. 2018. Google Safe Browsing. https://developers.google.com/safe-browsing/ Retrieved Auguest 11, 2018 from

[28]

W3C Groups. 2016. Content Security Policy Level 3. https://www.w3.org/TR/CSP3/ Retrieved May 9, 2018 from

[29]

W3C Groups. 2017. Web Workers. https://w3c.github.io/workers/ Retrieved April 24, 2017 from

[30]

W3C Groups. 2018. Push API. https://w3c.github.io/push-api/ Retrieved May 9, 2018 from

[31]

W3C Groups. 2018. Service Workers Nightly. https://w3c.github.io/ServiceWorker/ Retrieved April 24, 2018 from

[32]

W3C Groups. 2018. the Notification API. https://notifications.spec.whatwg.org/ Retrieved May 7, 2018 from

[33]

X. Han, N. Kheir, and D. Balzarotti. 2016. PhishEye: Live Monitoring of Sandboxed Phishing Kits. In ACM Conference on Computer and Communications Security. ACM.

Digital Library

[34]

Izooto. 2016. https://www.izooto.com/ Retrieved April 25, 2018 from

[35]

T. Jagatic, N. Johnson, M. Jakobsson, and F. Menczer. 2007. Social Phishing. Commun. ACM (2007).

Digital Library

[36]

M. Jakobsson and S. Myers. {n. d.}. Phishing and Countermeasures: Understanding the Increasing Problem of Electronic Identity Theft .Wiley-Interscience.

Digital Library

[37]

Huang L, A. Moshchuk, H. J. Wang, S. Schecter, and C. Jackson. 2012. Clickjacking: Attacks and Defenses. In USENIX Security Symposium. USENIX Association.

Digital Library

[38]

S. Lee, H. Kim, and J. Kim. 2015. Identifying Cross-origin Resource Status using Application Cache. In Proceedings of the Annual Network and Distributed System Security Symposium.

[39]

T. Lee. 2017. How Bitcoins Became Worth $10,000. https://arstechnica.com/tech-policy/2017/11/how-bitcoins-became-worth-10000/ Retrieved May 9, 2017 from

[40]

T. Majchrzak, A. Biørn-Hansen, and T. Grønli. 2018. Progressive Web Apps: the Definite Approach to Cross-Platform Development?. In Hawaii International Conference on System Sciences.

[41]

I. Malavolta. 2016. Beyond Native Apps: Web Technologies to the Rescue! (Keynote). In Proceedings of the 1st International Workshop on Mobile Development. ACM.

Digital Library

[42]

I. Malavolta, G. Procaccianti, P. Noorland, and P. Vukmirovic. 2017. Assessing the Impact of Service Workers on the Energy Efficiency of Progressive Web Apps. In International Conference on Mobile Software Engineering and Systems.

Digital Library

[43]

R. McPherson, S. Jana, and V. Shmatikov. 2015. No Escape From Reality: Security and Privacy of Augmented Reality Browsers. In International World Wide Web Conference.

Digital Library

[44]

mitmproxy. 2018. https://mitmproxy.org/ Retrieved April 25, 2018 from

[45]

T. Moore and R. Clayton. 2012. Discovering Phishing Dropboxes using Email Metadata. In eCrime Researchers Summit.

[46]

Mozilla Developer Network. 2016. HSTS - Strict Transport Security. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security Retrieved April 25, 2018 from

[47]

Mozilla Developer Network. 2017. CSP: frame-ancestors - HTTP. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors Retrieved May 9, 2018 from

[48]

Mozilla Developer Network. 2018. AppCache is deprecated. https://developer.mozilla.org/en-US/docs/Web/HTML/Using_the_application_cache Retrieved May 9, 2018 from

[49]

Mozilla Developer Network. 2018. Cache - Web APIs. https://developer.mozilla.org/en-US/docs/Web/API/Cache Retrieved May 9, 2018 from

[50]

Mozilla Developer Network. 2018. HTTP caching. https://developer.mozilla.org/en-US/docs/Web/HTTP/Caching Retrieved April 25, 2018 from

[51]

Mozilla Developer Network. 2018. WebAssembly. https://developer.mozilla.org/en-US/docs/WebAssembly Retrieved April 25, 2018 from

[52]

Web of Trust. 2018. Web of Trust - Website reputation and review service. https://www.mywot.com/ Retrieved Auguest 11, 2018 from

[53]

OneSignal. 2018. https://onesignal.com/ Retrieved April 25, 2018 from

[54]

pushcrew. 2015. https://pushcrew.com/ Retrieved April 25, 2018 from

[55]

PushEngage. 2015. https://www.pushengage.com/ Retrieved April 25, 2018 from

[56]

PushWoosh. 2018. https://www.pushwoosh.com/ Retrieved April 25, 2018 from

[57]

A. Ramachandran and N. Feamster. 2006. Understanding the Network-level Behavior of Spammers. In Proceedings of the Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications. ACM.

Digital Library

[58]

D. Ross. 2013. HTTP Header Field X-Frame-Options. https://tools.ietf.org/html/rfc7034 Retrieved May 9, 2018 from

[59]

N.V. Saberhagen. 2013. CryptoNote v 2.0. https://cryptonote.org/whitepaper.pdf Retrieved May 9, 2018 from

[60]

G. Saride, J. Aaron, and J. Bose. 2016. Secure Web Push System. In International Conference on Communication Systems and Networks.

[61]

R. Schuster, V. Shmatikov, and E. Tromer. 2017. Beauty and the Burst: Remote Identification of Encrypted Video Streams. In USENIX Security Symposium. USENIX Association.

Digital Library

[62]

SendPulse. 2015. https://sendpulse.com/ Retrieved April 25, 2018 from

[63]

D. Silver, S. Jana, E. Chen, C. Jackson, and D. Boneh. 2014. Password Managers: Attacks and Defenses. In USENIX Security Symposium. USENIX Association.

Digital Library

[64]

S. Son, D. Kim, and V. Shmatikov. 2010. What Mobile Ads Know About Mobile Users. In Proceedings of the Network and Distributed System Security Symposium. Internet Society.

[65]

T. Steiner. 2018. What is in a Web View? An Analysis of Progressive Web App Features When the Means of Web Access is not a Web Browser. In International World Wide Web Conference.

Digital Library

[66]

B. Stock, M. Johns, M. Steffens, and M. Backes. 2017. How the Web Tangled Itself: Uncovering the History of Client-Side Web (In)Security. In USENIX Security Symposium. USENIX Association.

Digital Library

[67]

B. Stone-Gross, T. Holz, G. Stringhini, and G. Vigna. 2011. The Underground Economy of Spam: A Botmaster's Perspective of Coordinating Large-scale Spam Campaigns. In Proceedings of the Conference on Large-scale Exploits and Emergent Threats. USENIX Association.

Digital Library

[68]

Symantec. 2013. Elliptic Curve Cryptography Certificates Performance Analysis. https://www.websecurity.symantec.com/content/dam/websitesecurity/digitalassets/desktop/pdfs/whitepaper/Elliptic_Curve_Cryptography_ECC_WP_en_us.pdf Retrieved May 9, 2018 from

[69]

Monero.org Team. 2018. Introduction to Monero (XMR) Coins. https://monero.org/ Retrieved May 9, 2018 from

[70]

K. Thomas, F. Li, A. Zand, J. Barrett, J. Ranieri, L. Invernizzi, Y. Markov, O. Comanescu, V. Eranti, A. Moscicki, D. Margolis, V. Paxson, and E. Bursztein. 2017. Data Breaches, Phishing, or Malware? Understanding the Risks of Stolen Credentials. In ACM Conference on Computer and Communications Security. ACM.

Digital Library

[71]

P. Vadrevu, J. Liu, B. Li, B. Rahbarinia, K. Lee, and R. Perdisci. 2017. Enabling Reconstruction of Attacks on Users via Efficient Browsing Snapshots. In Proceedings of the Network and Distributed System Security Symposium. Internet Society.

[72]

Z. Weinberg, E.Y. Chen, P.R. Jayaraman, and C. Jackson. 2011. I Still Know What You Visited Last Summer: Leaking Browsing History via User Interaction and Side Channel Attacks. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE Computer Society.

Digital Library

[73]

T. Whalen and K. Inkpen. 2005. Gathering evidence: use of visual security cues in web browsers. In Proceedings of the Graphics Interface. ACM.

Digital Library

[74]

WHATWG. 2018. HTML Living Standard. https://html.spec.whatwg.org/multipage/iframe-embed-object.html#the-iframe-element Retrieved May 8, 2018 from

[75]

WHATWG. 2018. Offline Web Applications. https://html.spec.whatwg.org/multipage/offline.html Retrieved April 26, 2018 from

[76]

WHATWG. 2018. the WebSocket API. https://html.spec.whatwg.org/multipage/web-sockets.html Retrieved May 7, 2018 from

[77]

M. Wu, R.C. Miller, and S.L. Garfinkel. 2006. Do Security Toolbars Actually Prevent Phishing Attacks?. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. ACM.

Digital Library

[78]

Z. Xu and S. Zhu. 2012. Abusing Notification Services on Smartphones for Phishing and Spamming. In Proceedings of the Conference on USENIX Workshop on Offensive Technologies.

Digital Library

[79]

S. Zawoad, A. Dutta, A. Sprague, R. Hasan, J. Britt, and G. Warner. 2013. Phish-Net: Investigating Phish Clusters using Drop Email Addresses. In APWG eCrime Researchers Summit.

Cited By

Watanabe TShioji EAkiyama MMori T(2024)Understanding the Breakdown of Same-origin Policies in Web Services That Rehost WebsitesJournal of Information Processing10.2197/ipsjjip.32.80132(801-816)Online publication date: 2024
https://doi.org/10.2197/ipsjjip.32.801
Kiiveri KLiesivuori JVirtanen SIsoaho J(2024)Design of a mobile app for crisis guidanceProcedia Computer Science10.1016/j.procs.2024.06.017238(208-215)Online publication date: 2024
https://doi.org/10.1016/j.procs.2024.06.017
Maskeliūnas RDamaševičius RBlažauskas TSwacha JQueirós RPaiva J(2023)FGPE+: The Mobile FGPE Environment and the Pareto-Optimized Gamified Programming Exercise Selection Model—An Empirical EvaluationComputers10.3390/computers1207014412:7(144)Online publication date: 21-Jul-2023
https://doi.org/10.3390/computers12070144
Show More Cited By

Index Terms

Pride and Prejudice in Progressive Web Apps: Abusing Native App-like Features in Web Applications
1. Security and privacy
  1. Software and application security
    1. Web application security

Recommendations

Analyzing User Experience in Mobile Web, Native and Progressive Web Applications: A User and HCI Specialist Perspectives
IHC '18: Proceedings of the 17th Brazilian Symposium on Human Factors in Computing Systems

Progressive Web App (PWA) is a new approach to the development of mobile application proposed by Google in 2015. It combines technology resources of both web and native applications. The challenges of designing interfaces for different applications ...
Building Progressive Web Apps: Bringing the Power of Native to the Browser
Pro Android Web Apps: Develop for Android using HTML5, CSS3 & JavaScript

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '18: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security

October 2018

2359 pages

ISBN:9781450356930

DOI:10.1145/3243734

General Chairs:
David Lie
University of Toronto
,
Mohammad Mannan
Concordia University
,
Program Chairs:
Michael Backes
CISPA Helmholtz Center i.G.
,
XiaoFeng Wang
Indiana University

Copyright © 2018 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 15 October 2018

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Conference

CCS '18

Sponsor:

SIGSAC

CCS '18: 2018 ACM SIGSAC Conference on Computer and Communications Security

October 15 - 19, 2018

Toronto, Canada

Acceptance Rates

CCS '18 Paper Acceptance Rate 134 of 809 submissions, 17%;

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

23
Total Citations
View Citations
1,905
Total Downloads

Downloads (Last 12 months)140
Downloads (Last 6 weeks)23

Reflects downloads up to 12 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Watanabe TShioji EAkiyama MMori T(2024)Understanding the Breakdown of Same-origin Policies in Web Services That Rehost WebsitesJournal of Information Processing10.2197/ipsjjip.32.80132(801-816)Online publication date: 2024
https://doi.org/10.2197/ipsjjip.32.801
Kiiveri KLiesivuori JVirtanen SIsoaho J(2024)Design of a mobile app for crisis guidanceProcedia Computer Science10.1016/j.procs.2024.06.017238(208-215)Online publication date: 2024
https://doi.org/10.1016/j.procs.2024.06.017
Maskeliūnas RDamaševičius RBlažauskas TSwacha JQueirós RPaiva J(2023)FGPE+: The Mobile FGPE Environment and the Pareto-Optimized Gamified Programming Exercise Selection Model—An Empirical EvaluationComputers10.3390/computers1207014412:7(144)Online publication date: 21-Jul-2023
https://doi.org/10.3390/computers12070144
Carboneri AGhasemisharif MKarami SPolakis J(2023)When Push Comes to Shove: Empirical Analysis of Web Push Implementations in the WildProceedings of the 39th Annual Computer Security Applications Conference10.1145/3627106.3627186(44-55)Online publication date: 4-Dec-2023
https://dl.acm.org/doi/10.1145/3627106.3627186
Rahman AHeo S(2023)Frappé: An Ultra Lightweight Mobile UI Framework for Rapid API-based Prototyping and Environmental DeploymentProceedings of the ACM on Human-Computer Interaction10.1145/36042587:MHCI(1-23)Online publication date: 13-Sep-2023
https://dl.acm.org/doi/10.1145/3604258
Jeong YLee WHur J(2023)A Honey postMessage, but a Heart of Gall: Exploiting Push Service in Service Workers Via postMessageProceedings of the 2023 ACM Asia Conference on Computer and Communications Security10.1145/3579856.3590342(785-796)Online publication date: 10-Jul-2023
https://dl.acm.org/doi/10.1145/3579856.3590342
Dornauer BFelderer M(2023)Energy-Saving Strategies for Mobile Web Apps and their Measurement: Results from a Decade of Research2023 IEEE/ACM 10th International Conference on Mobile Software Engineering and Systems (MOBILESoft)10.1109/MOBILSoft59058.2023.00017(75-86)Online publication date: May-2023
https://doi.org/10.1109/MOBILSoft59058.2023.00017
Mhatre AMali S(2023)Progressive Web Applications, a New Way for Faster Testing of Mobile Application Products2023 3rd Asian Conference on Innovation in Technology (ASIANCON)10.1109/ASIANCON58793.2023.10269806(1-6)Online publication date: 25-Aug-2023
https://doi.org/10.1109/ASIANCON58793.2023.10269806
Shahid MSermet YMount JDemir I(2023)Towards progressive geospatial information processing on web systems: a case study for watershed analysis in IowaEarth Science Informatics10.1007/s12145-023-00993-xOnline publication date: 20-Mar-2023
https://doi.org/10.1007/s12145-023-00993-x
Catalano CTommasi F(2023)Persistent MobileApp-in-the-Middle (MAitM) attackJournal of Computer Virology and Hacking Techniques10.1007/s11416-023-00484-zOnline publication date: 30-Jun-2023
https://doi.org/10.1007/s11416-023-00484-z
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents