Home

Podfeet Podcasts

Security Bits logo - a green padlock with the words Security Bits to the right and in tiny letters below ithat it says 10101010 indicating a digital lock

Security Bits — 15 September 2024

  • by Bart Busschots

    • Feedback & Followups

    Deep Dive — The Emerging Dark Side of PWAs

    We’ve not discussed Progressive Web Apps, or PWAs in any kind of detail in this segment before because they’ve been quite niche and not had much of an impact on the security of regular users. That’s changing now, and not in a good way 🙁

    While Allison was in Africa I mentioned a story about a malicious ad campaign on major sites targeting customers of major banks with fake requests to update their banking app with the advice never to believe any kind of call to action from your bank from an ad — if your bank really needed you to do something to protect your account their chosen method of communication would not be an ad!

    I said to put a mental pin in that story and promised a deep dive when Allison was back, and here we are!

    The ‘apps’ those malicious ads were pushing were not full on apps from some kind of App Store, nor were they links to some kind of side-loading request, they were links to Progressive Web Apps.

    What are PWAs?

    As their name may suggest PWAs are web apps with some extra powers.

    At a technological level, they are just regular web apps written in HTML, CSS & JavaScript that run online like any other web app, but they have an extra metadata file with instructions for how their code and resources can be caches on-device so they can be ‘installed’ on a device for use both on and offline. When they get installed their JavaScript gets access to extra APIs that allow them to save data locally and request access to resources on the device like the camera and microphone.

    From a user’s point of view, they are using some kind of app on a website, and they get the option to save the app to their ‘home Screen’ and when they do they get an icon that looks just like a real app. When they click on that icon they get the same app they had been using on a web page, but now full screen without any browser bits around it, and, they can use the app even when off-line. They can also approve camera and microphone access, and those permissions stick, just like on a regular app.

    This can be really convenient for users. They get their favourite web app as something that behaves like a real app, and it just works!

    From a developer point of view, it offers an interesting middle ground between an app that is trapped in the browser and only works online, and a full-blown App Store app with review and all that setup. They can only write in HTML, CSS & Javascript, they can’t use C++, Objective-C, Swift, Java, or and other ‘real’ programming languages. They also can’t use the vast vast vast majority of Android, iOS, Windows, macOS, or Linux APIs, but they can get some of that functionality through generic PWA APIs with cross-platform support. But, the biggest appeal is the freedom from the onerous task of registering as a developer (I’ve been through it, the proof of identity for yourself and your company is no joke, and there are fees), and, there is no app review between you and your users!

    Where’s the Danger?

    At a purely technical level, there is no vulnerability — all the OSes do a good job sandboxing PWAs, and Apple & Google enforce all their normal permissions dialogues on PWAs.

    The problem lies with the squishy organic bit. Today, regular folk do not understand what a PWA is, and that leaves them exposed to social engineering attacks like those malicious ads mentioned at the start of this segment.

    Users know app stores vet apps, they keep reading news stories about those evil anti-competitive gate keepers locking developers of innocent games like Fortnight out of their stores, so, they give things that look like apps more trust than they warrant.

    What a victim who falls for one of these malicious ads sees is an app on their Home Screen with their bank’s logo that looks identical to their old app that the ad told them was out of date. When that app presents them with a familiar login screen, they don’t think twice!

    Worse still, once a PWA is installed, there’s no easy way for helpful family members to recognise the app for what it is — a website in disguise, and, there’s no quick and easy way to see that disguised website’s evil URL, so my standard ‘look up’ advice does not work.

    Best Advice?

    There is no easy answer, but I am warning non-techie family members not to follow any ad anywhere ever, and not to let any website add itself to their Home Screen without checking with me first.

    Links

    ❗ Action Alerts

    Worthy Warnings

    • Be aware that sextortion scammers have adopted two new techniques in recent weeks — these emails remain scams based on false claims!
      • In addition to using leaked passwords to make their bogus claims more legit, attackers are now also using leaked physical addresses along with publicly available mapping imagery to add a photo of your actual home/front yard to their emails — krebsonsecurity.com/…
      • Attackers are now using leaked data to include actual names in false claims that a victim’s spouse is cheating on them — www.bleepingcomputer.com/… (Due to typos in some of the names observed in the campaign, there is a strong suspicion the source of the data is the wedding planning site The Knot)
    • Beware! Attackers have found another way to attack the open source community: GitHub comments abused to push password stealing malware masked as fixes — www.bleepingcomputer.com/… (TL;DR — don’t run any commands you don’t understand, even if they come from a comment on the GitHub project for the software/code library you’re currently struggling with)

    Notable News

    Excellent Explainers

    Interesting Insights

    • Apple have released a detailed academic paper outlining their safety testing of Apple Intelligence, the paper itself is not accessible to regular folk, but this is an excellent overview: Apple shows why it’s ahead in AI, not behind — www.cultofmac.com/… (TL;DR — by putting a lot of effort into cleaning the training data Apple’s models are functionally en-par with the rest, but much safer, it seems to be more effective to stop models from learning dangerous things than trying to stop them blurting out dangerous things they have learned)
    • 🎧 The arrest of the Telegram CEO is cybersecurity adjacent, but not quite in our bailiwick, but if you want a well informed reasoned analysis, I can recommend this TED interview: [TED Talks Daily: The arrest of Telegram CEO Pavel Durov – and why you should care with Eli Pariser — overcast.fm/…](https://overcast.fm/+AAAAAQKIrik]

    Palate Cleansers

    Legend

    When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.

    Emoji Meaning
    🎧 A link to audio content, probably a podcast.
    A call to action.
    flag The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country.
    📊 A link to graphical content, probably a chart, graph, or diagram.
    🧯 A story that has been over-hyped in the media, or, “no need to light your hair on fire” 🙂
    💵 A link to an article behind a paywall.
    📌 A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future.
    🎩 A tip of the hat to thank a member of the community for bringing the story to our attention.
    🎦 A link to video content.

    Leave a Reply

    Your email address will not be published. Required fields are marked *

    Scroll to top