mirror of
https://github.com/privacyguides/privacyguides.org
synced 2024-11-30 06:53:32 +01:00
Compare commits
6 Commits
d381cef747
...
c50b5d3616
| Author | SHA1 | Date | |
|---|---|---|---|
|
c50b5d3616 | ||
|
|
76d78db04c | ||
|
|
89e2d75d83 | ||
|
|
ebd9ec1753 | ||
|
|
1d037f3e0a | ||
|
|
ac0a3ca8c5 |
@ -10,19 +10,19 @@ tags:
|
||||
- IWA
|
||||
license: BY-SA
|
||||
---
|
||||
# PWA vs IWA
|
||||
# IWA: The Future of Web Apps?
|
||||
|
||||
The concept of a [Progressive Web App](https://developer.mozilla.org/en-US/docs/Web/Progressive_web_apps) is enticing: an app using web technologies that’s inherently cross platform (since it runs in a browser) and acts like a native app, even functioning offline. Support for PWAs in traditionally locked-down platforms like iOS means that PWAs can give users the freedom to install apps without having to go through Apple’s App Store.
|
||||
The concept of a [Progressive Web App](https://developer.mozilla.org/en-US/docs/Web/Progressive_web_apps) is enticing: an app using web technologies that’s inherently cross platform (since it runs in a browser) and acts like a native app, even functioning offline. Support for PWAs in traditionally locked-down platforms like iOS means that PWAs can give users the freedom to install apps without having to go through Apple’s App Store.<!-- more -->
|
||||
|
||||
Attempts at similar things have been made before, notably the infamous [Electron](https://www.electronjs.org) allows developers to easily create cross-platform apps by essentially bundling the browser in with the app. This approach has its drawbacks, though. Browsers have huge attack surface so it's important to keep them updated, but many Electron apps ship outdated versions, leaving those apps vulnerable. PWAs use the browser that you already have installed, so as long as you keep it updated all your apps will have all the latest security fixes.
|
||||
Attempts at similar things have been made before, notably the infamous [Electron](https://www.electronjs.org) allows developers to easily create cross-platform apps by essentially bundling the browser in with the app. This approach has its [drawbacks](https://usa.kaspersky.com/blog/electron-framework-security-issues/28952/?srsltid=AfmBOor_UcYY-84soHz5K2ULTmhlX44-DsIfJp_StotBrusD63MweSGO), though. Browsers have huge attack surface so it's important to keep them updated, but many Electron apps ship outdated versions, leaving those apps vulnerable. PWAs use the browser that you already have installed, so as long as you keep it updated all your apps will have all the latest security fixes.
|
||||
|
||||
So why isn't every app shipping as a PWA? The answer is an age old problem with web content: the fact that you have to trust the server every time you use it. You make an HTML GET request and you're served the content, but if the server is compromised, you'll be served a compromised website. This is a huge problem for security-sensitive applications like messengers. An attacker that gains access to their server even just temporarily, could distribute compromised clients to millions of people, potentially breaking E2EE or any other number of malicious actions.
|
||||
|
||||
A typical native app is downloaded onto your computer and only updates when the developers push an update out, and there's usually a process of checks and verification before that happens, like Apple's [App Review](https://developer.apple.com/distribute/app-review/) and the Google Play [review process](https://support.google.com/googleplay/android-developer/answer/9859455?hl=en). Plus it's much more difficult to only target a specific person, like someone with access to the servers that serve the HTML, CSS, and Javascript could do.
|
||||
|
||||
Web Packaging is a specification that allows web content to be distributed offline outside of a browser, much like a traditional app. It can be signed just like a regular app too, allowing you to verify that it came from the proper place and hasn't been modified.
|
||||
|
||||
Isolated Web Apps (IWA) build on the work done on PWAs and [Web Packaging](https://github.com/WICG/webpackage).
|
||||
Isolated Web Apps (IWA) build on the work done on PWAs and [Web Packaging](https://github.com/WICG/webpackage). They are a specification that allows web content to be distributed offline outside of a browser, much like a traditional app. It can be signed just like a regular app too, allowing you to verify that it came from the proper place and hasn't been modified. You could install an IWA from your favorite app store just like any other app and have the same security assurances. This would be incredibly useful in allowing for cross-platform E2EE web apps that don't need to trust a server every time you use them.
|
||||
|
||||
There are some [criticisms](https://github.com/w3ctag/design-reviews/issues/842#issuecomment-1989631915) of IWAs, at least in their current form. It'll be a long process of iterating on the design before a version of this idea that's secure and available across browsers.
|
||||
|
||||
Right now, Chrome ships the feature [enabled by default](https://chromestatus.com/feature/5146307550248960) but only on ChromeOS for admin-controlled machines. Safari and Firefox haven't implemented the feature, with [Firefox](https://github.com/mozilla/standards-positions/issues/799#issuecomment-2342084330) taking a stance against it. Perhaps in its trial run the technology will prove its potential, or maybe IWAs aren't the best solution after all and another attempt will come along. I'll be watching with great interest either way.
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user