Security of PWAs (Progressive Web Apps)

02673853

How secure are PWAs?
I know that they are more private because they have fewer fingerprinting options than installed .apks and are more secure in that it’s harder for them to attack the system.
But how secure are PWAs with regard to protecting the data inside the PWA in the CIA (Confidentiality, Integrity, Availability) sense?

The main issues I see with them are the following:

The code isn't signed:
This means that if the updating URL is compromised, the PWA can also be compromised without any additional security measures in the way (a signing key would prevent this with a native app). Even if the compromise is quickly discovered and reported, there is no way to stop a PWA from getting updates on the client side (at least I can't find such an option in Vanadium).
Additional trust assumptions and attack vectors:
There are a lot more attack vectors on a PWA than on a native application: for example, the URL could be compromised, either by a hacker or by the certificate authority that is issuing the certificate for the URL. Another attack vector is that a compromise of the browser that is running the PWA would also lead to a compromise of the PWA.

Linux

From my point of view, PWAs or just glorified web shortcuts

Eumenia

I think if an app is critical for security, then it should be installed as a "real" app, mainly for the issues you mentioned

Anon6095

With a website or PWA you download unsigned source code (often from third parties too) on every start up, so it’s easier for an attacker to intercept and tamper with the code of the app, compared to an app that is installed the traditional way.