In this blog I will walk you through what exactly a Progressive Web Application is and the dangers that can come with a world full of them. Progressive Web Applications are part of our everyday life. We use PWAs when searching for a ride or looking for our favorite hobbies on social media. They allow us to do things such as search for our favorite coffee drink, order it from our local store and then pay for it! Forget her birthday? The local department stores are at your fingertips. Long sleeves or short today? A weather application might help. Lost? No problem! Get directions to your destination! Need to check your balance at the bank, just check the app. Wondering what is going on in the world? News and information applications might be your choice. Looking to stay connected? These are all things that PWAs were designed to do.
PWAs were written to make our experience personal, easier, more enjoyable and in some cases tolerable to use! PWAs allow us to customize our ‘app’ experience, they do this by using something called JSON strings. Human readable “language” that allows one computer to request from another computer something, for instance directions to the Mall of America, then returns the answer to the request back in human readable JSON files.
The Dangers Start Here!
Progressive Web Applications are given permissions by the user at download. We all have experienced the “grant permission” pop up when downloading an application. Applications can be granted access to various device systems by design; some of those include location, contacts, camera, and microphone. Permissions to access storage spaces and your clipboard can also be requested by an application.
While most applications that use these permissions are legitimate applications and permissions can be trusted to the provider, this unfortunately is not always the case. In recent news threat actors are increasingly posing as legitimate PWAs to hack into your systems and steal sensitive information like Social Security numbers, banking information, and/or passwords. ESET’s article “Be careful what you pwish for – Phishing in PWA applications” reports this tactic was first seen in the wild in 2023.
Posing as legitimate PWAs threat actors are using actual logos with accurate information, these applications can be hard to spot and oftentimes the threat actors are using this tactic in conjunction with other tactics such as smishing (a social engineering attack that uses fake mobile text messages to trick people into downloading an application).
Safeguarding yourself against downloading a malicious PWA is important!
Here are a few things to think about when downloading applications.
- Verify the source
- Check that your application is from a trusted source
- Downloading from a website: Check the URL!
- Make sure you are on the correct website.
- Be aware of any extra characters that may be in the site name
- If the link takes you to an app store, verify you are in fact in the app store
- Check the Permissions!
- Only allow the permission necessary
- Revoke any permissions not related to the applications purpose
- Be AWARE of phishing tactics!
- Completely avoid clicking on links in emails that you are not expecting with URGENT issues at hand
- Do not follow pop-up messages prompting you to install applications
- Investigate the application, look for reviews, other downloads
Progressive Web Applications have created an easier world as we know it. We use them daily in many areas of life whether for entertainment or to be productive. While most PWAs are trustworthy and can be trusted with permissions. Threat actors are now posing as legitimate PWAs and using those permissions to hack into systems and steal personal information. In conclusion, no matter what application you install or have installed know your source!