Progressive Web Apps (PWA)

Danielle Adams
CSGY-9223: Mobile Security

10/1/19

What is a PWA?

"Progressive web apps use modern web APIs along with traditional progressive enhancement strategy to create cross-platform web applications. These apps work everywhere and provide several features that give them the same user experience advantages as native apps."

What is it?

  • A web application with enhanced user experience and performance
     
  • May be installed as an app or used only within the browser

What is it not?

  • Not a native app
     
  • Not a web-based app wrapped in a native app
     
  • Not OS, device or browser specific

How to develop a PWA

  • Create a web application       
  • Ensure HTTPS usage
  • Add a Manifest file

Add a Manifest file

How to develop a PWA

  • Create a web application
  • Ensure HTTPS usage
  • Add a Manifest file
  • Make use of Service Workers
  • Ensure browser caching

Service workers & caching

How to develop a PWA

Using a tool called Lighthouse an audit can be run on a web application to ensure all features are accounted for.

  • Create a web application
  • Ensure HTTPS usage
  • Add a Manifest file
  • Make use of Service Workers
  • Ensure caching

Lighthouse usage

 

Security Benefits

  • limited interaction with OS
  • no interaction with hardware
  • HTTPS guaranteed
    • encrypted network call
    • requires SSL certificate
  • security patches and bug fixes are automatically made available
    • no need to wait for the next release
  • consistent development, testing, and deployment across all web-based parts of the product

Other Benefits

  • Performant by design

Performant by design

Benefits

  • Performant by design
  • Compatibility

Compatability

Available across any smartphone that supports both browser usage and "app" installation.

Security Concerns

  • keeps session open
  • no support for biometrics
  • smaller devices are more likely to be stolen
  • subject to any browser vulnerabilities
    • mobile OS vulnerabilities
    • Cross-site scripting (XSS)

Other Negatives

  • Discoverability is difficult

Discoverability is difficult

Since PWAs are web applications, they can only be installed from browsers. In order to make available on app stores, they need to be converted to native apps.

 

App browsing is usually done on app stores. The average user does not know that this feature is available to them.

Other Negatives

  • Discoverability is difficult
  • Conflict of products

Conflict of products

Redirecting from search results to the native app is common in mobile devices.

 

Pinterest, which has invested in creating their PWA, redirects users to the native app when it's installed from Google.

Conclusion

PWAs are a great solution for a safe, simple and performant mobile app.

 

The biggest fault in replacing native apps is the discoverability.

PWAs for mobile websites will probably continue to be popular.

Resources

Questions?

(and thanks!)