Progressive web apps: the dark side that may be overlooked

The full text is 2755 words and the expected learning time is 7 minutes

Source: Google

Just as Apple hit Newton's head and changed the way people understand gravity, enhanced web applications are changing the way people understand applications by providing a web-like application experience.

Enhanced web application is one of the first technologies proposed by Google. "Progressive web app" (progressive web app) was first proposed in 2015 by Frances Berriman and Alex Russell.

It is a method of describing applications that take advantage of the new features supported by modern browsers, such as service worker and web application manifests. Users can upgrade web applications to Enhanced web application.

PWAs can also be connected to the Internet. Google said it has the following characteristics:

· Reliability: It loads quickly, and the Tyrannosaurus Rex (Chrome disconnected interface) will not be displayed even under uncertain network conditions.

· Fast: Respond quickly to user interactions, and the animation is as smooth as silk without stuttering.

· Participation: Just like a natural application on the device, it has an immersive user experience.

You may have read the information about PWA, and everyone thinks it can be expected in the future. But chances are you didn't realize that it also has a dark side that is not often mentioned. There are many hidden dangers, but this article will mainly focus on one item: fingerprint recognition.

What is fingerprint recognition?

"No two people have the same fingerprints, including identical twins." Fingerprints make humans unique and distinguish them from each other. Similarly, fingerprint technology can also be applied to other entities to identify unique individuals. Browser fingerprinting is an example.

Browser fingerprinting is the ability of a website to identify or re-identify visitors, user agents, or devices through configuration settings or other noticeable attributes. Browser fingerprints can be used as a security measure, such as user authentication. In some cases, fingerprint recognition can be used to:

· Identify users

· Track and correlate user browsing activities within and across sessions

· Collect information to draw inferences about users, etc.

What kind of harm might it cause?

The biggest threat of fingerprint recognition is that it may threaten user privacy.

· User identification

Users may need to surf the Internet anonymously for different reasons, such as fear of being monitored and personal safety. Browser fingerprint recognition can be associated with personal identification information, and applications or service providers can easily identify anonymous users.

· Unexpected association of browsing activities

Even if personal information recognition is not required, browsing will be detected. Network platforms can save personal data based on browser fingerprints, so this situation is entirely possible. This may lead to user tracking without user authorization or content. Actions such as clearing cookies will not prevent or reset associations that have been obtained through browser fingerprints.

· Inferences about users

Even if there is no such need, users will be identified or classified based on only a few browser fingerprint-related features. Operating system version and device details can be used to infer the purchasing power of users. If the user is anonymous, they definitely do not want to use this deduction method. Due to device fingerprint recognition technology, there have been some related cases. For example, Mac users will be directed to more expensive hotels to spend.

How does PWA assist fingerprint recognition?

PWAs need a manifest file, which is a JSON format file containing keys describing various characteristics of the application. One value in the manifest file is start_url. This value determines the preferred URL that should be loaded when the user starts the web application (for example, when the user clicks the icon of the web application from the device's application menu or home screen).

The W3C team believes that this mechanism includes potential threats associated with device or browser fingerprinting and user activities associated with the browser. They think this will lead to a new local cookie-like mechanism.

It is possible that start_url is used to indicate that the application is launched from outside the browser (for example, "start_url": "index.html?launcher=homescreen"). This may be useful for analysis or other customization. However, the developer can also encode the string into the start_url that uniquely identifies the user (such as the UUID assigned by the server). This is fingerprint/privacy sensitive information that the user may not be aware of.

Even at the time of writing, this issue is still to be discussed, and an appropriate solution has not yet been proposed. And as the W3C team mentioned, it even reached the point where the Github issue has been resolved.

"We agree that I have closed it while acknowledging this problem, but this problem is unsolvable because it is inherent to the URL. We let implementers know that this is a problem and provide the possibility of mitigating through the UI ."

Security researcher Lukasz Olejnik conducted a study on the top 10,000 web pages to check the usage of web fingerprints. His research found:

· 1672 pages including manifest.json

· 828 used a dedicated start_url

· 274 parameters used

· No pages use randomly generated identifiers

He also pointed out that although he did see obvious unique identifiers (eg 51606102_9527_7259_7770), they did not seem to be randomly generated for each new user. This modest test result is quite cautious: technically possible tracking seems to be unused at the moment.

Although the situation is temporarily relieved, the tracking method has not yet been implemented in the current PWAs. But it is a time bomb because, as we know, it may soon become a silent killer for user privacy.

How will Apple fight back?

Source: unsplash

Apple is known for its safe device ecosystem, which is mainly due to stricter rules and policies than any other device manufacturer. Although on the one hand it loses the customizability of the product, on the other hand it increases the security of the system. Apple is more inclined to make decisions on behalf of users, rather than making decisions on their own.

Since PWAs try to perform operations like local applications, they need to access device hardware features such as Bluetooth, NFC, magnetic fields, etc. By introducing some Web APIs, such as Web Bluetooth API, Web NFC API, Magnetometer API, etc. to provide these functions, this has become possible.

But Apple recently refused to use 16 Web APIs in Safari-based browsers, which shows the fact that they provide a way for fingerprint recognition and pose a threat to user privacy. These APIs have been implemented in the Chromium system, and some of them have been implemented in the Mozilla system.

Apple also claims that online advertisers and data analysis companies can manipulate these APIs to fingerprint users and their devices.

The above situation brings trouble to PWAs, which will become an obstacle for developers trying to build applications that utilize native features. WebKit's first line of defense against fingerprints is not to implement web functions that increase the operability of fingerprints, nor to use secure methods to protect users.

Apple also said that if any of these new technologies "reduce fingerprint recognition capabilities in the future," it will reconsider adding it to Safari. But PWAs is a technology with great development potential. The privacy issues mentioned above should not keep customers away from PWAs that can provide FIRE according to their preferences.

Recommended reading topics

Leave a comment, like, send a circle of friends

Let's share the dry goods of AI learning and development

Compilation Team: Zhou Yudi, Zhu Yan

Progressive web apps: the dark side that may be overlooked

Guess you like