-
Notifications
You must be signed in to change notification settings - Fork 5
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
App => Web support #51
Comments
I'm mostly concerned about Other than that, I can see how this could be important. My first impression (no pun intended) is that this is fundamentally quite challenging because access to the OS-level store for querying conversions depends critically on trusting the entity that asks to represent the identity of the true requester accurately. To a first approximation, an app operating a webview need to be thought of as a browser when talking to the OS, so I'll talk about browsers and you can substitute "app" as needed. If the browser stores impressions, then the browser can trust itself to know that the website is really the website it means (that's a core function of a browser). That's easy. It's harder when the store is at the OS level. A browser needs to assert to the OS that this is really "example.com" that is spending privacy budget. The OS doesn't really have much hope of validating that claim unless it has some pretty extreme control over how the browser operates. This might be possible on iOS with their browser restriction, but on a platform without extreme restrictions, that's not going to hold. We saw a similar example of this pattern of attack with passkeys. Any form of access to the device from an app gives that app the ability to assert that someone is accessing any website. Attackers were able to use WebUSB to spoof site identity and effectively bypass protections. I can see a few options:
|
Had one idea here. If we place zero trust in the web browser, then perhaps we can use a solution that involves the site generating a signature using its public key. One approach for webviews (e.g. UIWebview on iOS) could be to disable the JavaScript API, and only enable the HTTP API (see #47 for some brainstorming here). But we would need to add some kind of signature generated by the website's web-server. So the response might be something like:
where this is a signature generated using the website's private key, and which signs over all of the fields, including the delegation-ID. Now a malicious app could at worst intercept and drop this call. It couldn't save signatures for use elsewhere since the delegation ID is expected to be unique. |
@martinthomson does this proposal seem like a way to achieve your option #1? The OS could be the one to validate the signature. |
The basic shape of this might work. Though we'd need to work out more of the details. Attacks that might need mitigation:
|
Many popular apps primarily display advertising in mobile applications, while conversions might be generated in either the system browser, or within an in-app-webview. If there was an OS-level impression store, and an OS-level privacy budget, it seems possible to support common user journeys like:
There are various technologies available on mobile platforms, including both Webviews (highly customisable) and "Remote Tabs" (not customisable). Meta's apps use the former. If this API does not support the App => Webview user journey, it will have very poor coverage of most user conversion journeys.
But there are various risks associated with enabling this API in webviews that must be mitigated:
I would love to discuss mitigations to these risks, and to identify any other risks that might be present.
The text was updated successfully, but these errors were encountered: