Progressive Web Applications (PWAs) are web apps that blur the lines of differences with native apps thanks to advanced web technologies at their core. On the one hand, service workers (SWs) bring offline experience to users, background syncing, out-of-bound web push notifications, and turn web apps into client-side proxies that can intercept HTTP requests, and generate responses to fulfill them. On the other hand, web application manifests provide the metadata that makes PWAs installable on the user’s device, just like any other native app. In this work, we provide the first privacy assessment of the design and implementation of web manifests, demonstrating that they can be leveraged by adversaries to persist unique identifiers which can be reused to identify and track users. To make matters worse, these identifiers can outlive privacy and tracking protection mechanisms like clearing all browsing data, unregistering SWs, etc. making them similar to supercookies, the most invasive type of persistent identifiers. From an empirical study of 37.6M websites in the wild, we report that the adoption of PWAs is prevalent on the Web, suggesting potential harm to user’s privacy. We reported our findings to browser vendors, discussing countermeasures that amount to implementing in the browser additional options for users to uninstall PWAs when they clear their browsing data. With this work, we also raise awareness of the persistence-by-design nature of mechanisms like web app manifests and think that they should be held to the same privacy standards as other client-side storage like the infamous cookies that are under extensive scrutiny by regulations like the GDPR.
GI International Conference on Detection of Intrusions and Malware and Vulnerability Assessment (DIMVA)
2024-07-09
2024-08-13