Acknowledgments
We would like to thank the anonymous revie wers for their
constructiv e comments and suggestions on how to improve
this paper . This material is based in part upon work supported
by the National Science Foundation (NSF) under grants
No. CNS-2126641 and CNS-2047260, and by the Office
of Naval Research (ONR) under grant N00014-21-1-2159.
Any opinions, findings, and conclusions or recommendations
expressed in this material are those of the authors and do not
necessarily reflect the vie ws of the NSF or ONR.
References
[1]
“Mdn web docs: Service worker ,” https://dev elopers.google.com/web/
fundamentals/primers/service-workers.
[2]
“The chromium projects,” https://www.chromium.org/Home/
chromium-security/prefer-secure-origins-for-powerful-ne w-features.
[3]
“Web.de v: Progressiv e web apps, ” https://web .de v/
progressiv e-web-apps/.
[4]
“Mdn web docs:push api, ” https://developer.mozilla.org/en-US/docs/
Web/API/Push API.
[5]
P. Papadopoulos, P. Ilia, M. Polychronakis, E. Markatos, S. Ioannidis,
and G. Vasiliadis, “Master of web puppets: Abusing web browsers for
persistent and stealthy computation, ” ArXiv, vol. abs/1810.00464, 2019.
[6]
J. Lee, H. Kim, J. Park, I. Shin, and S. Son, “Pride and prejudice
in progressi ve web apps: Abusing native app-like features in web
applications,” in Pr oceedings of the 2018 ACM SIGSAC Conference on
Computer and Communications Security, 2018, pp. 1731–1746.
[7]
P. Chinprutthiwong, R. Vardhan, G. Yang, and G. Gu, “Security study
of service worker cross-site scripting. ” in Annual Computer Security
Applications Confer ence, ser . ACSA C ’20. New York, NY, USA:
Association for Computing Machinery , 2020, p. 643–654. [Online].
Available: https://doi.org/10.1145/3427228.3427290
[8]
S. Karami, P. Ilia, and J. Polakis, “Awakening the web’s sleeper
agents: Misusing service workers for priv acy leakage, ” in Network and
Distributed System Security Symposium (NDSS), 2021.
[9]
K. Subramani, X. Yuan, O. Setayeshfar, P. Vadrevu, K. H. Lee, and
R. Perdisci, “When push comes to ads: Measuring the rise of (malicious)
push advertising,” in Pr oceedings of the ACM Internet Measur ement
Confer ence, ser. IMC ’20. New York, NY, USA: Association
for Computing Machinery, 2020, p. 724–737. [Online]. Available:
https://doi.org/10.1145/3419394.3423631
[10]
“Sw forensics source code, ” https://github.com/karthikaS03/SW Sec
Project.
[11] “Sw abuse demos,” https://demopwa.github.io/sw
index.
[12]
J. Archibald, “The service worker lifecycle,” https://developers.google.
com/web/fundamentals/primers/service-workers/lifecycle.
[13]
“Mdn web docs: Serviceworkerre gistration,” https://de veloper.mozilla.
org/en-US/docs/Web/API/ServiceW ork erRegistration.
[14]
“Mdn web docs:pushmanager api,” https://developer.mozilla.org/en-US/
docs/Web/API/PushManager/subscribe.
[15]
“Mdn web docs:push subscription api, ” https://dev eloper.mozilla.org/
en-US/docs/W eb/API/PushSubscription/getK e y.
[16]
“Mdn web docs : Periodic background synchronization api,”
https://dev eloper.mozilla.org/en-US/docs/Web/API/Web Periodic
Background Synchronization API.
[17]
“Google groups: Intent to ship: Periodic background sync,”
https://groups.google.com/a/chromium.org/g/blink-dev/c/
KSJViFp3hMc/m/6gVYzjg B AAJ?pli=1.
[18]
“Web.de v : Richer offline experiences with periodic background sync
api,” https://web.de v/periodic-background-sync/.
[19]
“W3c periodic background sync specification,” https://wicg.github .io/
background-sync/spec/PeriodicBackgroundSync-index.html#security.
[20]
“Periodic background sync has serious security risks, ”
https://github .com/WICG/background-sync/issues/169.
[21]
“Service worker security policies,” https://chromium.googlesource.com/
chromium/src/+/master/docs/security/service-worker-security-faq.md.
[22]
“W3c: Service worker ,” https://www .w3.or g/TR/service-workers/
#security-considerations.
[23]
P. Chinprutthiwong, R. Vardhan, G. Yang, Y. Zhang, and G. Gu, “The
service worker hiding in your browser: The next web attack target?”
in 24th International Symposium on Research in Attacks, Intrusions
and Defenses, ser. RAID ’21. Ne w York, NY, USA: Association
for Computing Machinery, 2021, p. 312–323. [Online]. Available:
https://doi.org/10.1145/3471621.3471845
[24]
T. W atanabe, E. Shioji, M. Akiyama, and T . Mori, “Melting pot of
origins: Compromising the intermediary web services that rehost
websites,” in NDSS, 2020.
[25]
M. Squarcina, D. F. Some, S. Calzavara, and M. Maffei, “The remote
on the local: Exacerbating web attacks via service workers caches,” ser.
USENIX WOOT ’21.
[26]
T. Van Goethem, W. Joosen, and N. Nikiforakis, “The clock is still
ticking: T iming attacks in the modern web,” in Proceedings of the
22nd A CM SIGSAC Confer ence on Computer and Communications
Security, ser. CCS ’15. New York, NY, USA: Association for
Computing Machinery, 2015, p. 1382–1393. [Online]. A v ailable:
https://doi.org/10.1145/2810103.2813632
[27]
T. Van Goethem, M. Vanhoef, F . Piessens, and W. Joosen, “Request
and conquer: Exposing cross-origin resource size, ” in 25th
{
USENIX
}
Security Symposium ({USENIX} Security 16), 2016, pp. 447–462.
[28]
T. Steiner , “What is in a web view: An analysis of progressiv e web
app features when the means of web access is not a web browser ,” in
Companion Proceedings of the The Web Confer ence 2018, ser . WWW
’18. Republic and Canton of Genev a, CHE: International W orld
W ide Web Conferences Steering Committee, 2018. [Online]. A v ailable:
https://doi.org/10.1145/3184558.3188742
[29]
Y. Liu, E. Xu, Y. Ma, and X. Liu, “A first look at instant service
consumption with quick apps on mobile devices,” in 2019 IEEE
International Conference on Web Services (ICWS), 2019, pp. 328–335.
[30]
I. Malav olta, G. Procaccianti, P. Noorland, and P. Vukmirovic, “Assessing
the impact of service workers on the energy efficiency of progressive web
apps,” in 2017 IEEE/ACM 4th International Conference on Mobile Soft-
war e Engineering and Systems (MOBILESoft). IEEE, 2017, pp. 35–45.
[31]
A. Gambhir and G. Raj, “Analysis of cache in service worker
and performance scoring of progressiv e web application,” in 2018
International Conference on Advances in Computing and Communication
Engineering (ICACCE). IEEE, 2018, pp. 294–299.
[32]
A. Biørn-Hansen, T. A. Majchrzak, and T.-M. Grønli, “Progressiv e
web apps: The possible web-native unifier for mobile development,” in
WEBIST, 2017.
[33]
“Mdn web docs: Syncmanager api, ” https://dev eloper.mozilla.org/en-US/
docs/Web/API/SyncManager.
[34]
N. Pantelaios, N. Nikiforakis, and A. Kapravelos, “You’ ve changed:
Detecting malicious browser extensions through their update deltas, ” in
Pr oceedings of the 2020 ACM SIGSAC Confer ence on Computer and
Communications Security, 2020, pp. 477–491.
[35]
“Mdn web docs: Cache api, ” https://dev eloper.mozilla.org/en-US/docs/
Web/API/Cache.
[36]
“Security vulnerabilities fixed in firefox 95,” https://www.mozilla.org/
en-US/security/advisories/mfsa2021-52/.
[37]
“Bugzilla : Self-update service worker to stay alive,”
https://bugzilla.mozilla.or g/sho w bug.cgi?id=1432846.
[38]
I. Bilogrevic, B. Engedy , J. Porter, N. Taft, K. Hasanbega, A. Paseltiner ,
H. Lee, E. Jung, M. W atkins, P. McLachlan, and J. James, “”shhh...be
quiet!” reducing the unwanted interruptions of notification permission
prompts on chrome, ” in 30th USENIX Security Symposium (USENIX
Security 21), Vancouver, B.C., 2021. [Online]. A v ailable: https:
//www.usenix.org/conference/usenixsecurity21/presentation/bilogre vic
[39]
“Quieter ui for notificationss, ” https://blog.chromium.org/2020/01/
introducing-quieter-permission-ui-for.html.
[40]
“Mozilla : W eb push notifications, ” https://support.mozilla.org/en-US/
kb/push-notifications-firefox#w how-does-it-work.
569