@inproceedings{a3b1d4fa87384dbdadbf2fc87c9000a3,
title = "Pride and prejudice in progressive web apps: Abusing native app-like features in Web applications",
abstract = "Progressive Web App (PWA) is a new generation of Web application designed to provide native app-like browsing experiences even when a browser is offline. PWAs make full use of new HTML5 features which include push notification, cache, and service worker to provide short-latency and rich Web browsing experiences. We conduct the first systematic study of the security and privacy aspects unique to PWAs. We identify security flaws in main browsers as well as design flaws in popular third-party push services, that exacerbate the phishing risk. We introduce a new side-channel attack that infers the victim{\textquoteright}s history of visited PWAs. The proposed attack exploits the offline browsing feature of PWAs using a cache. We demonstrate a cryptocurrency mining attack which abuses service workers. Defenses and recommendations to mitigate the identified security and privacy risks are suggested with in-depth understanding.",
keywords = "Cryptocurrency mining, History sniffing, Phishing, Progressive web application, Web push",
author = "Jiyeon Lee and Hayeon Kim and Junghwan Park and Insik Shin and Sooel Son",
note = "Publisher Copyright: {\textcopyright} 2018 Copyright held by the owner/author(s). Publication rights licensed to ACM.; 25th ACM Conference on Computer and Communications Security, CCS 2018 ; Conference date: 15-10-2018",
year = "2018",
month = oct,
day = "15",
doi = "10.1145/3243734.3243867",
language = "English",
series = "Proceedings of the ACM Conference on Computer and Communications Security",
publisher = "Association for Computing Machinery",
pages = "1731--1746",
booktitle = "CCS 2018 - Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security",
}