📝 SummarXiv

Abstract

Progressive Web Applications (PWAs) blend the advantages of web and native apps, offering features like offline access, push notifications, and installability. Beyond these, modern PWAs are increasingly granted system-level capabilities such as auto-start on login and shared context with native applications. However, their permission management remains poorly defined and inconsistently implemented across platforms and browsers. To investigate these gaps, we developed Permissioner, a cross-platform analysis tool, and conducted a systematic study of PWA permissions. Our analysis uncovered critical issues of inconsistency, incompleteness, and unclear boundaries in permission enforcement, leading to various attacks including permission leakage, device identification, and Permission API abuse. We further examined why some browsers resist adopting more granular permission controls, identifying trade-offs involving usability, compatibility, and platform limitations. Through collaboration with browser vendors, several issues reported in our findings were acknowledged and resolved, notably by Firefox and Chrome. Our work highlights the urgent need for a unified, robust permission model for PWAs and provides actionable guidance toward achieving this goal.