Evaluation of Security of ServiceWorker and Related APIs

• Main Author: Kravchenko, Maxim
• Format: Others
• Language: English
• Published: Linnéuniversitetet, Institutionen för datavetenskap och medieteknik (DM) 2018
• Subjects: Service Worker API; Push API; Cache API; Application Cache; se- curity; Progressive Web Apps; HTTPS; Other Engineering and Technologies; Annan teknik
• Online Access: http://urn.kb.se/resolve?urn=urn:nbn:se:lnu:diva-75875

The Service Worker is a programmable proxy that allows the clients to keep offline parts of websites or even the whole domains, receive push notifications, have back-ground synchronization and other features. All of these features are available to the user without having to install an application - the user only visits a website. The service worker has gained popularity due to being a key component in the Progressive Web Applications (PWAs). PWAs have already proven to drastically increase the number of visits and the duration of browsing for websites such as Forbes [1], Twitter [2], and many others. The Service Worker is a powerful tool, yet it is hard for clients to understand the security implications of it. Therefore, all modern browser install the service workers without asking the client. While this offers many conveniences to the user, this powerful technology introduces new security risks. This thesis takes a closer look at the structure of the service worker and focuses on the vulnerabilities of its components. After the literature analysis and some testing using the demonstrator developed during this project, the vulnerabilities of the service worker components are classified and presented in the form of the vulnerability matrix; the mitigations to the vulnerabilities are then outlined, and the two are summarized in the form of security guidelines.