Enterprise Chrome Blog

IWA: Isolated Web Apps – apps on steroids

Publishing on the web is so easy that everyone and their grandma can do it. The harder part is to secure that server and making sure the version of the content on the clients device is not hacked.

There are a few different reasons why App developers still prefer Android and iOS today

  1. They are usually more compatible with mobile devices
  2. They are perfect for working offline
  3. And while its designed in such a way that it can be updated, its harder to be intercepted by someone on the network or hacked.

As an example, it may be interesting to know that Meta had to work extensively with Cloudflare to ensure that Whatsapp’s code wasn’t modified before it was delivered to a user. This type of risk wouldn’t exist in IWA.

…proposes a way of building applications using web standard technologies that will have useful security properties unavailable to normal web pages. They are tentatively called Isolated Web Apps (IWAs). Rather than being hosted on live web servers and fetched over HTTPS, these applications are packaged into Web Bundles, signed by their developer, and distributed to end-users through one or more of the potential methods described below.

IWA Explainer

Highlights of what IWA

  • By default IWA’s Content Security Policy (CSP) would provide strong protection against cross-site scripting (XSS) vulnerabilities.
  • IWA will use Transport Layer Security (TLS) and Subresource Integrity (SRI) to provide protection against resources being tampered while in-transit or when hosted on third-party servers.
  • The app won’t use DNS name as the identifier. This is to protect it against DNS based attacks. Instead the URL would be based on app’s public key which is used to sign the Web Bundles it would come in.
  • And to use this new way of identifying the app, its going to introduce a new scheme (potentially, isolated-app://). More details on this scheme can be found here

IWA is still in very early stages. To find out when it would be available in Chrome, follow the progress here.

I’ve already seen how powerful PWAs can get with the right level of knowledge and investment. With the announcement of IWA, its very clear that there is a lot more coming in this space and I’m still hoping to see a day when we would have apps working across the Chromebooks and iPhones without any rewrite.

Posted

in

by

Roy Thomas

Tags:

, , ,

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

Exit mobile version