The release of iOS 16.4 has been a game-changer for mobile app developers: suddenly, teams can put full-fledged web browser capabilities into their applications. Almost any iOS mobile app can now be a progressive web app (PWA)—significantly reducing development and maintenance costs while also improving app performance and the all-important user experience. PWAs offer the best of both worlds when it comes to website and native app capabilities: they combine push notifications, offline usability, and access to device hardware (such as location tracking and the camera and microphone). Developers turning to PWAs give users a more powerful version of their company’s website, with instant load times (since content is included in the app) and expanded feature sets.
All great stuff—except, in many cases, when it comes to security.
The PWA security challenge
Functionally, PWAs turn almost every app into a browser, and teams need to better understand the specific and unique security issues that change invites. A typical modern website depends on dozens of third-party scripts from outside sources, scripts which are then executed in users’ web browsers. These code scripts enable all kinds of common and necessary functions, from chatbot interactivity to captchas to social media features to marketing monitoring and analytics. Collectively, this browser supply chain has been an increasing target for hacks. But with businesses now leveraging their website browser supply chains within their mobile apps as well, this security risk (which has affected major companies from British Airways to Kaiser Permanente) has expanded even more quickly in the past few months.
How to approach PWA security
Securing the browser supply chain to safeguard PWAs and end users’ data requires a thoughtful and comprehensive approach. An effective browser-side security strategy should include continuous monitoring and alerting of these third-party scripts, regular auditing, infrastructure protections, and employee security training.
More specifically, comprehensive monitoring should cover both registry monitoring and browser-side script monitoring, vet all script requests in real-time, and detect and block any malicious activities as they occur and before damage is done. Third-party scripts should undergo full code integrity checks every time they run—and absolutely before they are ever sent to a user’s browser. For registry monitoring, tools should be in place to proactively identify and eliminate threats, even before they reach the development environment. Sufficient monitoring should continuously scan and monitor the attack surface for threats, and provide immediate alerting and automated countermeasures when vulnerabilities, harmful scripts, and other active threats are surfaced.
Monitoring should also actively measure web script performance—with the multiple benefits of recognizing anomalies while flagging optimization opportunities and better experiences for end users. (Additionally, logging is crucial for enabling detailed historical analysis, especially in the aftermath of an incident.) Studying this analysis provides key guidance for understanding the most acute risks and improving security protections going forward. Conducting code reviews and audits at a regular cadence will also help make sure every script supporting a PWA meets its organization’s established security requirements and policies.
On the infrastructure security front, implementing a web application firewall will detect and block inbound threats before they can reach web applications and exploit vulnerabilities. Organizations should also implement malware scanning to safeguard script functionality, such as form uploads or any other avenue where attackers might attempt to introduce malicious files or code. DNS security is also essential for preventing malicious attempts to hijack traffic and data.
Finally, regular security training must be provided to development and operations teams working on PWAs—continually keeping folks educated on the newest threats and evolving security safeguards. Even with tools in place, employees and their security awareness (or lack thereof) often still play a decisive role in whether attacks succeed or fail.
Enable powerful mobile apps, curtail security risks
Organizations now have tremendous opportunities to harness the power of browser-enabled apps to deliver more engaging and valuable user experiences. By adopting and adhering to browser-side security best practices, teams can keep attacks on third-party browser scripts at bay without holding back on realizing PWA modernization.
About the Author
Simon Wijckmans is the CEO of c/side. An expert on client-side security, he founded the company in 2024 after working in product management roles at Cloudflare and Vercel. Simon can be reached via LinkedIn (https://www.linkedin.com/in/wijckmans/) and at https://cside.dev/
