Progressive Web Apps (PWAs) are a popular development option right now, but what do you know about PWA security? Where the PWA vs. native app development debate gets interesting is in the question of distribution. Native apps are placed on app stores and downloaded by users from the store. To get your app on the App Store or Google Play Store, you must meet specific requirements, and a portion of your sales, including in-app purchases, will go to Apple or Google.
Progressive Web Apps can be downloaded straight from the web to a user’s home screen allowing businesses to completely bypass the requirements of app stores. However, for some people, this raises security concerns. The apps on the app stores have to be verified from a security standpoint, amongst many others, before they can be placed on the store for users to download. These added requirements give people a sense of security. Whereas anyone could put a PWA online for download, and you don’t know what you are downloading.
Let’s take a closer look at the security issues and concerns associated with Progressive Web Apps. Since Progressive Web Apps have gotten so popular, it is important to understand what potential risks there might be so your business can choose the best development option for your operations.
Understanding PWA Security
New technologies present new points of attack for bad actors. While Progressive Web Apps feel like new technology because they are being used to create native-like mobile app experiences, they are predominantly enriched web applications. As a result, PWAs could potentially be vulnerable to all known forms of web attack.
However, we are not going to explore every possible form of web attack in this post. Instead, we are going to focus on two aspects of Progressive Web Apps that differ from enriched web applications, which are:
- Manifests
- Service workers
Manifests and service workers are two features specified in HTML5 that give PWAs the ability to look and feel like native mobile apps. Let’s take a closer look.
What Is a Manifest?
A manifest is a JSON file within the PWA. The manifest contains all of the information necessary for the app to be downloaded and presented. Examples of this information include:
- App name
- Home screen icon
- App description
- Display options
What Is a Service Worker?
While the manifest handles the aesthetics that mobile users are familiar with, service workers give PWAs functionalities that mimic native apps. An easy way to understand how service workers operate is to think of them as the go-between between the frontend and backend of an application. Service workers give developers the ability to add native-like features to their apps, such as:
- Push notifications
- Caching (for offline use)
- Background syncing
Service workers and manifests give developers the ability to turn a website into a mobile app. However, these two HTML5 features present some security vulnerabilities that your organization might not be aware of. Let’s see how a cyber attacker could attack your PWA through the manifest or service workers.
Attacking a PWA Through the Manifest
The amount of damage that can be done through the manifest is limited, but that doesn’t mean you shouldn’t take security seriously. For example, cyber attackers like to use cross-site scripting attacks, where they try to inject their malicious script into a target application. Regarding the manifest, since browsers use the first instance of the manifest regardless of how many manifests are in the code, attackers will not be able to override your manifest.
However, if you don’t have a manifest configured for your PWA, an attacker could link their manifest. While the damage from such an attack is limited to aesthetics like the app icon, name, colors, etc., this could damage your brand and drive users away from your app. In addition, some web browsers follow new content security policies that restrict the domains a web manifest can be fetched from, which further reduces the amount of potential damage that can be done through the manifest.
Attacking a PWA Through Service Workers
We’ve already discussed the functionalities that service workers bring to PWAs by connecting the frontend and backend of the application. Service workers are an attractive area to attack because they give bad actors the ability to intercept connections or serve modified responses to users.
It is important that cyber attackers cannot modify your service workers. If a cyber attacker can take control of a service worker, they can persistently attack inbound and outbound information. This type of cyber attack is known as the man in the middle.
A malicious service worker can have serious consequences for your app and users. A cyberattacker using a malicious service worker could actively monitor and control all traffic between your app’s backend and your frontend user. An attacker could easily send your users phishing messages that compromise their data and personal information, which would damage your brand image and reputation and drive users away from your business.
Service workers do not have access to the DOM or cookies to limit the amount of damage possible by a malicious service worker. However, your app should utilize and support the postMessage interface for communications between service workers and the pages they control. Therefore, you can minimize the potential damage done by a malicious service worker and ensure that they cannot access the DOM.
PWAs Are Secure: Final Thoughts
For the most part, PWAs are secure because they follow HTTPS protocols just like any other website or web application. In addition, since they are accessed through web browsers, PWAs benefit from all of the modern security features built into web browsers too. Of course, PWAs need to account for all of the common web attacks being used, but this makes testing them easier because your security team should already be aware of the common web vulnerabilities.
The benefits of developing Progressive Web Apps are convincing many businesses that this development path is the right choice. If you are interested in developing a PWA, speak with an app development partner. A partner can help you understand all of your options and guide you through the development process using their industry experience and technical expertise. In addition, a partner will have in-depth knowledge of PWA security.
