Re: [w3c/manifest] Security Risks in Web App Off-scope Navigation (#747) from PWAuser on 2018-12-05 (public-webapps-github@w3.org from December 2018)

From: PWAuser <notifications@github.com>
Date: Wed, 05 Dec 2018 09:23:08 -0800
To: w3c/manifest <manifest@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/manifest/issues/747/444569304@github.com>

Hi, mgiuca

Thank you for the timely response. We’d like to make a bit clarification here.

We think currently there’s a design pitfall for user agents that support Web Apps. Specifically, when a Web App takes the entirety of the display area, it’s practically misleading to users if the user agent (e.g., Chrome) is still designed to display the Prominent UI inside the display realm of the PWA in certain circumstances. Specifically, the users cannot tell whether the Prominent UI is from user agent or the Web App. When this Prominent UI is for critical security notification (i.e., informing the current domain during off-scope navigation), such misleading will cause security consequences, e.g., our reported phishing attacks.

>From the Spec perspective, we make following two suggestions for your review.
The Spec makes it clear that the user agent’s UI component/notice, if inside the display area of a (fullscreen) Web App, could be practically counterfeited. If the UI component/notice is for critical security purposes, security consequences such as phishing attacks may occur.
The Spec may suggest a secure design principle: it should be practically easy for users to judge whether any UI component/notice inside the display area of Web App is owned by the Web App or user agent.

One possible implementation of the suggested design principle could be, any UI component/notice inside the display area of Web App should only be owned by the Web App. When a user agent wants to show users any critical UI notice, guide the user to the user agent’s separate activity and display it there. After the display, guide the users back to the Web App, so as to eliminate any breaking of the user experience. This is indeed a further explanation of our original suggestion, which is never meant to be a opposition to #701.

Response to your other comments.

In response to your comment

> “A full stand-alone app on mobile would simply be able to spoof the browser UI and the user would think they're in the full-screen browser”,

we believe the Operating System should have the responsibility to make it clear what app the user is running. Indeed, on iOS when a user double presses the Home button, he/she would be able to see the real identity of the app running in the foreground, no matter whether this app is spoofing other apps’ UI or not. Similarly, on Android through the Recents Screen [1], users could also reliably know which app is running in the foreground. It indeed happened on Android that a malicious app spoofed the UI of other apps, but it’s Android’s responsibility to fix each reported bug and make sure users always reliably know the real identity of running apps and activities. Similarly, we think it’s the user agents’ responsibility to make users reliably known the owner (Web App or the user agent) of any critical UI component/notice in the context of Web App. We suggest the Spec clarify this responsibility for user agents.

Please let us know if questions.

[1] https://developer.android.com/guide/components/activities/recents

--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/manifest/issues/747#issuecomment-444569304

Received on Wednesday, 5 December 2018 17:23:30 UTC