Progressive Web Apps (PWAs) have revolutionized how we build and deliver applications. It’s no wonder they’ve gained traction. They simplify development, combining the flexibility of the web with the capabilities of mobile. Features like offline access, push notifications, and hardware integration ... all wrapped in the convenience of a browser. With updates like those in iOS 16.4 in 2023, embedding browser capabilities into apps is easier than ever, driving the new wave of PWA adoption.
But there’s a flipside. With their rise comes an increase in client-side security risks. And the industry? It’s barely talked about.
PWAs are browsers
At their core, PWAs are browsers. They transform every app into a micro-web environment. That’s their power—they load instantly, reuse website code, and connect to web services seamlessly. Yet, this very architecture also exposes them to the web’s vulnerabilities, especially client-side risks tied to 3rd-party scripts.
Modern websites depend on these scripts for everything from analytics to engagement tools. While convenient, they massively expand your attack surface. In a PWA, these same scripts run directly in the app, amplifying risks like data breaches, malicious injections, and more.
Your risk isn’t limited to website visitors anymore; it extends to every app user.
Keep the web supply chain in mind
The client-side is the final stop in the chain. It’s where your code, both 1st and 3rd-party, loads into the user’s browser or PWA.
3rd-party scripts sourced from external vendors are integral but often fall outside your control, making them prime targets for attackers. From compromised analytics scripts leaking user data to malicious code injected into chatbots, the client-side is under constant threat.
Building a PWA only amplifies these risks by bringing them into your app.
PWAs are not bad
With all this being said, we don’t advocate against using PWAs. Depending on your needs, they’re likely the smartest choice. Just don’t overlook the security challenges they bring. Unfortunately, client-side vulnerabilities, especially from 3rd-party scripts, are often ignored.
We’ve built c/side, a 3rd-party script monitoring and security tool. This solves all these problems in both web and PWA environments. Install it right now, or talk to us - we’re more than happy to help you get started.