Improved security with PWAs (Part 3)

3/4/2020

NFC & RFID is coming to the webThe story so far:

In the first part of this article series, we have reported that NFC and RFID tag functionality will soon be available for mobile solutions based on PWA technology. In this context, we have looked at what PWAs are and what this means for you.

In the second part, we explained how this shortens update cycles and how this will help you as a user.

You can also read the details here:


Part 1: What Are Progressive Web Apps

Part 2: Short Update Cycles and Benefits by PWA

In this final part of our series, we explain why PWA technology improves security for you as well as additional benefits from the standardisation of this technology.

Improved Security

Security on your smartphone is possibleThe good news: Security on your smartphone is possible. The bad news is that you also need to use these security features, set them up correctly, and keep up-to-date with latest security patches. In addition, other parties, such as the app store providers, also have to play their part in this, which – unfortunately – had mixed results in the past.

Security infrastructure on your smartphone

Current smartphones have numerous security features, ranging from encryption and permission management for apps, to even virus and malware scanners. The problem is that these security options also need to be used and often require an “activation,” which unfortunately is not always the default setting, especially for devices in the lower price categories.

Security features often require manual activationEven if with these options enabled, there is another obstacle to security: for applications to work, they must legitimately ask for the necessary permissions in order to be able to perform desired functions. However, commonly there are several issues with that: firstly, many apps ask for many more permissions than actually needed, and it is sometimes difficult to understand, especially for lay users, what certain permissions actually mean and what they are necessary for.

All too often this only leads to users carelessly and imprudently consenting to permissions for these apps, without any real control through the user.

Device Updates

And finally, there is the well-known issue with device updates – or better the lack thereof. This is especially difficult, on the Android platform. Many users would certainly like to install updates if they were made available by device manufacturers. Unfortunately, this is often not the case, especially with inexpensive or lower-end smartphones, so that questionable security gaps are often not closed and cannot be closed.

Security in the app storeSecurity in the app store

As mentioned earlier, device security itself is not enough when malicious apps are installed. The promise of the app store providers is therefore to offer only selected and verified software and applications. The reality often is different, and many apps hide malicious code, viruses, and spy-ware. News stories such as these break with almost frightening regularity and show the limits of automatic protection algorithms implemented by app store operators.

Now it's easy to blame store providers, but it's also true that in the face of millions of apps, automated protection, as the news all to regularly show, is not enough! Yet on the other hand, a manual, detailed check of each app and each app update is just as infeasible due to their huge number, especially for those apps that only find a few 100,000 users.

PWAs to the rescue?

The browser acts as a virtual guardian What is the alternative, you may ask? At least an alternative approach are PWA apps. After all, these are actually just “better” websites and we know how to deal with those quite well and above all securely. The approach to security is also the opposite: instead of restricting functions through a permissions management, PWAs initially come without any rights at all. Only after certain prerequisites are met and a specific immediate need arises can PWA apps ask for additional functions.

The browser, in which the website or PWA app ultimately runs, ensures security on your device and acts as a “virtual guardian”, even if the browser itself no longer plays a role visible to the user. All PWA applications thus run in a so-called “sandbox” – a highly restricted and closed environment, which separates the app from the actual smartphone and your sensitive data.

Previously, this exactly was also the reason why many apps and applications simply weren't possible as PWA. There was no technical way to use certain device functions – as was the case with NFC and RFID tags. However, more and more interfaces and technologies that are entering the PWA family are changing this rapidly, yet with a different approach: security and privacy-first – i.e. security and data protection aspects always as the starting point of any interface architecture or short “secure-by-design”.

The browser as a security guardianBrowser as a security guardian

The browser as an intermediary layer has even more security-relevant advantages: On the one hand, updates are usually available much more frequently, more regularly and longer, even for older or lower-end smartphones and above all without requiring the help of device manufacturers.

Furthermore, the browser is used by millions or even billions of people daily and receives testing accordingly. Security scans and checks are frequent and in the case of security vulnerabilities fixes are usually available in a timely manner. For users, this translates to significantly better protection against security vulnerabilities and malware.

Standardisation

With standardisation technological innovations may find their way into new device groupsUsing a browser as the basis for PWA applications and the associated standardisation of APIs and interfaces also has further advantages such that technological innovations may find their way into new device groups. Case in point NFC and RFID tags: Technically, many devices are already equipped with the necessary prerequisites in the hardware – which is also true for many devices from Apple. Yet, the use of this technology is largely reserved exclusively for a few closed solutions, such as: ApplePay. With standardisation, we may hope that NFC and RFID tags will eventually be supported by Apple for broader applications, although as of yet no statements in this regard have been made.