Related papers: SPARE: Securing Progressive Web Applications Against Unauthorized Replications

SPARE: Securing Progressive Web Applications Against Unauthorized Replications

URL: http://arxiv.org/abs/2508.07053v1
Date: Sat, 09 Aug 2025 17:40:13 GMT
Title: SPARE: Securing Progressive Web Applications Against Unauthorized Replications
Authors: Sajib Talukder, Nur Imtiazul Haque, Khandakar Ashrafi Akbar,
Abstract summary: Malicious developers can exploit Progressive Web Applications by duplicating PWA web links to create counterfeit native apps.<n>We propose a query parameter-based practical security solution to defend against or mitigate such attacks.
Score: 1.1174586184779578
License: http://creativecommons.org/licenses/by/4.0/
Abstract: WebView applications are widely used in mobile applications to display web content directly within the app, enhancing user engagement by eliminating the need to open an external browser and providing a seamless experience. Progressive Web Applications (PWAs) further improve usability by combining the accessibility of web apps with the speed, offline capabilities, and responsiveness of native applications. However, malicious developers can exploit this technology by duplicating PWA web links to create counterfeit native apps, monetizing through user diversion. This unethical practice poses significant risks to users and the original application developers, underscoring the need for robust security measures to prevent unauthorized replication. Considering the one-way communication of Trusted Web Activity (a method for integrating web content into Android applications) and PWAs, we propose a query parameter-based practical security solution to defend against or mitigate such attacks. We analyze the vulnerabilities of our proposed security solution to assess its effectiveness and introduce advanced measures to address any identified weaknesses, presenting a comprehensive defense framework. As part of our work, we developed a prototype web application that secures PWAs from replication by embedding a combination of Unix timestamps and device identifiers into the query parameters. We evaluate the effectiveness of this defense strategy by simulating an advanced attack scenario. Additionally, we created a realistic dataset reflecting mobile app user behavior, modeled using a Zipfian distribution, to validate our framework.

Related papers

Cuckoo Attack: Stealthy and Persistent Attacks Against AI-IDE [64.47951172662745]
Cuckoo Attack is a novel attack that achieves stealthy and persistent command execution by embedding malicious payloads into configuration files.<n>We formalize our attack paradigm into two stages, including initial infection and persistence.<n>We contribute seven actionable checkpoints for vendors to evaluate their product security.
arXiv Detail & Related papers (2025-09-19T04:10:52Z)
Web Fraud Attacks Against LLM-Driven Multi-Agent Systems [16.324314873769215]
Web fraud attacks pose non-negligible threats to system security and user safety.<n>We propose Web Fraud Attacks, a novel type of attack aiming at inducing multi-agent systems to visit malicious websites.
arXiv Detail & Related papers (2025-09-01T07:47:24Z)
Bridging the Mobile Trust Gap: A Zero Trust Framework for Consumer-Facing Applications [51.56484100374058]
This paper proposes an extended Zero Trust model designed for mobile applications operating in untrusted, user-controlled environments.<n>Using a design science methodology, the study introduced a six-pillar framework that supports runtime enforcement of trust.<n>The proposed model offers a practical and standards-aligned approach to securing mobile applications beyond pre-deployment controls.
arXiv Detail & Related papers (2025-08-20T18:42:36Z)
Mind the Web: The Security of Web Use Agents [8.863542098424558]
We show how attackers can exploit web-use agents' high-privilege capabilities by embedding malicious content in web pages.<n>We introduce the task-aligned injection technique that frame malicious commands as helpful task guidance rather than obvious attacks.<n>We propose comprehensive mitigation strategies including oversight mechanisms, execution constraints, and task-aware reasoning techniques.
arXiv Detail & Related papers (2025-06-08T13:59:55Z)
WebCoT: Enhancing Web Agent Reasoning by Reconstructing Chain-of-Thought in Reflection, Branching, and Rollback [74.82886755416949]
We identify key reasoning skills essential for effective web agents.<n>We reconstruct the agent's reasoning algorithms into chain-of-thought rationales.<n>Our approach yields significant improvements across multiple benchmarks.
arXiv Detail & Related papers (2025-05-26T14:03:37Z)
SafeAgent: Safeguarding LLM Agents via an Automated Risk Simulator [77.86600052899156]
Large Language Model (LLM)-based agents are increasingly deployed in real-world applications.<n>We propose AutoSafe, the first framework that systematically enhances agent safety through fully automated synthetic data generation.<n>We show that AutoSafe boosts safety scores by 45% on average and achieves a 28.91% improvement on real-world tasks.
arXiv Detail & Related papers (2025-05-23T10:56:06Z)
The Hidden Dangers of Browsing AI Agents [0.0]
This paper presents a comprehensive security evaluation of such agents, focusing on systemic vulnerabilities across multiple architectural layers.<n>Our work outlines the first end-to-end threat model for browsing agents and provides actionable guidance for securing their deployment in real-world environments.
arXiv Detail & Related papers (2025-05-19T13:10:29Z)
Tit-for-Tat: Safeguarding Large Vision-Language Models Against Jailbreak Attacks via Adversarial Defense [90.71884758066042]
Large vision-language models (LVLMs) introduce a unique vulnerability: susceptibility to malicious attacks via visual inputs.<n>We propose ESIII (Embedding Security Instructions Into Images), a novel methodology for transforming the visual space from a source of vulnerability into an active defense mechanism.
arXiv Detail & Related papers (2025-03-14T17:39:45Z)
Adding web pentesting functionality to PTHelper [0.4779196219827506]
This project is the direct continuation of the previous initiative called PThelper: An open source tool to support the Penetration Testing process. This continuation is focused on expanding PThelper with the functionality to detect and later report web vulnerabilities.
arXiv Detail & Related papers (2024-10-16T10:05:56Z)
The Emperor is Now Clothed: A Secure Governance Framework for Web User Authentication through Password Managers [0.9599644507730105]
Existing approaches to facilitate the interaction between password managers and web applications fall short of providing adequate functionality and mitigation strategies against prominent attacks. We propose Berytus, a browser-based governance framework that mediates the interaction between password managers and web applications.
arXiv Detail & Related papers (2024-07-09T19:49:49Z)
"Glue pizza and eat rocks" -- Exploiting Vulnerabilities in Retrieval-Augmented Generative Models [74.05368440735468]
Retrieval-Augmented Generative (RAG) models enhance Large Language Models (LLMs) In this paper, we demonstrate a security threat where adversaries can exploit the openness of these knowledge bases.
arXiv Detail & Related papers (2024-06-26T05:36:23Z)
Not what you've signed up for: Compromising Real-World LLM-Integrated Applications with Indirect Prompt Injection [64.67495502772866]
Large Language Models (LLMs) are increasingly being integrated into various applications. We show how attackers can override original instructions and employed controls using Prompt Injection attacks. We derive a comprehensive taxonomy from a computer security perspective to systematically investigate impacts and vulnerabilities.
arXiv Detail & Related papers (2023-02-23T17:14:38Z)

This list is automatically generated from the titles and abstracts of the papers in this site.