SPARE: Securing Progressive Web Applications Against Unauthorized Replications

TL;DR

This paper introduces a security framework for Progressive Web Applications that prevents unauthorized replication by embedding unique identifiers in web links, evaluated through simulations and real-world data modeling.

Contribution

It proposes a novel query parameter-based security method for PWAs, including a prototype and comprehensive evaluation against replication attacks.

Findings

The security scheme effectively detects and mitigates replication attempts.

Embedding timestamps and device IDs enhances PWA protection.

The framework withstands simulated advanced attack scenarios.

Abstract

WebView applications are widely used in mobile applications to display web content directly within the app, enhancing user engagement by eliminating the need to open an external browser and providing a seamless experience. Progressive Web Applications (PWAs) further improve usability by combining the accessibility of web apps with the speed, offline capabilities, and responsiveness of native applications. However, malicious developers can exploit this technology by duplicating PWA web links to create counterfeit native apps, monetizing through user diversion. This unethical practice poses significant risks to users and the original application developers, underscoring the need for robust security measures to prevent unauthorized replication. Considering the one-way communication of Trusted Web Activity (a method for integrating web content into Android applications) and PWAs, we propose a query parameter-based practical security solution to defend against or mitigate such attacks. We analyze the vulnerabilities of our proposed security solution to assess its effectiveness and introduce advanced measures to address any identified weaknesses, presenting a comprehensive defense framework. As part of our work, we developed a prototype web application that secures PWAs from replication by embedding a combination of Unix timestamps and device identifiers into the query parameters. We evaluate the effectiveness of this defense strategy by simulating an advanced attack scenario. Additionally, we created a realistic dataset reflecting mobile app user behavior, modeled using a Zipfian distribution, to validate our framework.