Disposable track/web-push harness
Android notification-action gate
This page tests encrypted Web Push plus a non-exportable browser key. It is not an Autharky login screen and stores no production factor state.
Web Crypto non-extractability is a browser API boundary, not Android Keystore attestation. The web platform cannot force biometric authentication or device unlock for a notification action.
1. Enroll this browser
Use Android Chrome. Enrollment requests notification permission, subscribes to FCM, and saves a non-extractable ECDSA P-256 private key in IndexedDB. Re-enrolling after a browser restart proves key reuse.
Not enrolled in this page session.
2. Send a background challenge
The delayed option gives you eight seconds to press Home or lock the phone. The worker never opens or focuses a page when Approve or Deny is chosen.
No challenge sent.
3. Record real-device evidence
Evidence
For a normal action, server evidence should show the chosen state, one signature rejection (automatic tamper probe), and one replay rejection. Browser evidence records push, click, retry, and service-worker events.
Loadingā¦
Acceptance checklist
- Run both Approve and Deny with Chrome/site backgrounded.
- Restart Chrome, re-enroll, and confirm the same device ID/key is reused.
- Force a worker update, then repeat an action.
- Test ordinary site and installed PWA if installation is available.
- Test permission denial, then regrant through Android/Chrome site settings.
- Test unlocked and locked-screen notification actions.
- Dismiss one notification without acting.
- Choose an action offline, restore connectivity promptly, and inspect retry evidence.
Reset after server restart
The spike VAPID key is ephemeral. If the server restarts, reset the browser subscription and enroll again. This also deletes the IndexedDB signing key.