Disposable track/web-push harness

Android notification-action gate

This page tests encrypted Web Push plus a non-exportable browser key. It is not an Autharky login screen and stores no production factor state.

Assurance boundary

Web Crypto non-extractability is a browser API boundary, not Android Keystore attestation. The web platform cannot force biometric authentication or device unlock for a notification action.

1. Enroll this browser

Use Android Chrome. Enrollment requests notification permission, subscribes to FCM, and saves a non-extractable ECDSA P-256 private key in IndexedDB. Re-enrolling after a browser restart proves key reuse.

Not enrolled in this page session.

2. Send a background challenge

The delayed option gives you eight seconds to press Home or lock the phone. The worker never opens or focuses a page when Approve or Deny is chosen.

No challenge sent.

3. Record real-device evidence

Evidence

For a normal action, server evidence should show the chosen state, one signature rejection (automatic tamper probe), and one replay rejection. Browser evidence records push, click, retry, and service-worker events.

Loading…

Acceptance checklist

Reset after server restart

The spike VAPID key is ephemeral. If the server restarts, reset the browser subscription and enroll again. This also deletes the IndexedDB signing key.