Google Chrome and Microsoft Edge actively support Progressive Web App but caution about ‘bait and switch’ attacks using PWA

PWA Progressive Web App Google Chrome Microsoft Edge
Warning about potential dangers of PWA? Pic credit: Sean MacEntee/Flickr

Popular web browsers, especially for the Windows operating system, have not only developed but wholeheartedly adopted the Progressive Web App platform. However, these very internet browsers are now beginning to warn web users about the hidden dangers of PWA.

Moving ahead, Google Chrome and Microsoft Edge will warn browser users about Progressive Web Apps that try to trick users. Threat actors routinely attempt to trick users with simple “bait and switch” apps, and the browsers are now proactively looking for such methods with PWA.

Microsoft and Google offer near-native functionality of internet services and products with PWA:

Microsoft Edge and Google Chrome are two of the most progressive web browsers when it comes to adopting the Progressive Web App platform. In fact, Microsoft and Google have helped develop the platform and ensure its mainstream adoption.

Progressive Web App or PWA is essentially a browser-driven version of any internet-based product or service. These “applications” are essentially weblinks that web browsers such as Chrome or Edge support.

While the PWA is running, the web browser is doing the majority of the heavy lifting at the client-side. Some of the benefits of PWA are:

  • Progressive Web Apps (PWAs) provide quick access and additional functionality such as offline support, notifications, etc.
  • They’re light and responsive
  • They work on any device which supports a web browser.
  • PWAs are installable and offer an app-like native experience
  • Safe to use because the internet company is running the app through a web browser.
  • Always up to date as there’s no setup or executable.
  • PWA works even on slow networks and offline, owing to the service.
  • Desktop Progressive Web Apps have the ability to start running at boot and login. They are available for immediate use. Chrome and Edge both support the AutoStart feature.
  • They’re like native apps on Windows 10 with Jumplist support.
  • Chrome and Edge desktop PWAs support tabs.

Microsoft and Google now attempt to warn browser users about questionable Progressive Web App:

Chrome users can visit chrome://flags and search for PWA, and they will realize there are a lot of “flags”. This strongly suggests Google and Microsoft are keen on adding features for enhanced PWA usage experience.

While there are numerous benefits, threat actors can try and manipulate PWA to trick users. Although phishing attacks using PWA aren’t mainstream, both Google and Microsoft are taking proactive steps.

Moving ahead, Chrome and Edge will reportedly warn users if a PWA is attempting to update its icon. The browsers will display a warning which reads:

“Review icon update. If this Web app is trying to trick you into thinking it’s a different app, uninstall it”

PWA Icon Update Google Chrome Microsoft Edge
Pic credit: Techdows

The dialog essentially cautions users to uninstall the app if it is tricking as a different app using icons of popular internet-based platforms or services.

Currently, the warning is off by default. However, users can easily turn on the “PWA install update dialog for name/icon changes” flag. Activating the flag could protect users from shady PWA in Chrome and Edge web browsers.

Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x