Apple’s Pivot on iPhone Web Apps — Why it Matters for Crypto

By Shareef Salman
Security Auditor & Engineer

Earlier this month, Apple walked back its previous decision to discontinue the support for the installation of home screen web apps, also known as progressive web apps (PWAs), in the European Union.

PWAs essentially allow users to install certain websites as standalone apps on their iOS devices, offering not just quick access to websites but also various app functionalities that might not be available through a native iOS application. PWAs are popular among crypto developers as they provide straightforward and secure access to decentralized applications (dApps) and crypto wallets through a user-friendly interface.

In this blog I will explain why Apple’s decision matters and offer clear ways of strengthening the security of your PWAs.

The Backstory

Initially, Apple aimed to align with the EU’s Digital Markets Act (DMA) by restricting PWAs on iOS devices, citing compliance reasons. The EU’s directive sought to diversify browser engines beyond Apple’s native Safari WebKit, prompting Apple to adapt by integrating Home Screen web apps through WebKit exclusively. Apple’s concern was straightforward: alternative browser engines might not offer the same level of security as WebKit, potentially exposing users to security risks from malicious web applications.

However, Apple faced major pushback from developers and advocacy groups. The Open Web Advocacy organization, for instance, stated “entire categories of apps will no longer be viable on the web as a result” of the change.

As a result of the controversy, Apple has now opted to maintain the status quo. As the company stated, “Home Screen web apps continue to be built directly on WebKit and its security architecture,” thus preserving the integrity and privacy standards of iOS applications.

PWAs and Crypto

Developers in the crypto space have welcomed Apple’s decision to course correct. Developing a new crypto wallet or similar application often involves navigating the complex landscape of app store regulations, not to mention the technical challenge of managing multiple codebases for different platforms. This process is both laborious and time-consuming.

This is where PWAs make a real difference. By sidestepping the constraints of traditional app stores, PWAs allow for direct installation through a web browser, making the development of cross-platform wallets significantly more straightforward. PWAs deliver a seamless, native app experience, including custom storage and instant notification permissions — all from a single click on the Home Screen. It’s pretty amazing if you think about it.

I should also mention that limitations imposed by app stores can hinder creativity and restrict app distribution, conflicting with web3’s decentralized ethos. Centralized platforms, such as those managed by Google and Apple, control app availability and can impose restrictive policies or fees. PWAs offer a refreshing alternative by circumventing these barriers, aligning more closely with the principles of freedom and innovation intrinsic to the web3 space.

Take Google Play, for example. While the store prioritizes safety and security, its policies may inadvertently curb developers’ freedom to innovate. To take just one contentious policy that is relevant to the crypto industry, Google has banned apps that mine crypto on devices (though they permit apps that remotely manage crypto mining).

Security of PWAs

Right, now that I’ve extolled the benefits of PWAs, it’s important to add some caveats. While they are generally considered secure due to their use of HTTPS protocols and other security features provided by modern web browsers, PWAs are not immune to security threats.

To ensure the security of Progressive Web Apps (PWAs) and protect them against vulnerabilities, developers must adopt a comprehensive approach that encompasses various best practices and standards.

One of the foundational steps involves using HTTPS and SSL/TLS implementation, where PWAs are served from SSL-certified servers to secure data transfer and protect user information transmitted through HTTP headers or response parameters. Equally important is the establishment of reliable user authentication mechanisms, which play a pivotal role in safeguarding PWAs from unauthorized access.

Another critical security measure is certificate pinning, which verifies the authenticity of SSL certificates to thwart man-in-the-middle attacks. Keeping security protocols up to date is also vital for the ongoing security of PWAs, requiring regular reviews and updates to address new vulnerabilities as they are discovered. Additionally, the incorporation of Runtime Application Self-Protection (RASP) solutions within the application’s runtime code offers real-time defense against attacks, further enhancing security.

The protection of data, whether in transit or at rest, cannot be overlooked. The use of Transport Layer Security (TLS) for data in transit and advanced encryption methods, such as AES for data at rest, ensures the integrity and confidentiality of sensitive information stored in databases or caches. Implementing a Content Security Policy (CSP) is another proactive step to prevent malicious attacks by controlling the sources from which resources like scripts, images, and stylesheets can be loaded.

Regularly updating PWAs with the latest security patches is essential to mitigate known threats and maintain robust security defenses. However, ensuring the security of PWAs extends beyond technical measures alone. Educating users about the importance of online security and how to protect themselves is crucial, as user vigilance is often the first line of defense against potential threats. Through a combination of these practices, developers can create a secure environment for PWAs, offering users both functionality and peace of mind.

Conclusion

While app stores put a premium on user safety, opting to publish a Progressive Web App (PWA) independently places the entirety of the security burden on your shoulders. Adopting a security-first mindset throughout the development process is essential for crafting secure applications. Yet, it’s equally important to recognize when to enlist the expertise of security auditors. Their extensive experience and fresh insights can be invaluable in uncovering vulnerabilities and bugs, which is particularly crucial for sensitive applications like cryptocurrency wallets.

The Thesis Defense team has extensive experience in auditing web applications, decentralized apps (dApps), wallets, and various JavaScript-based applications, drawing on a diverse range of expertise from multiple industries. If you’re building a PWA and you prioritize security, we look forward to hearing from you.

At Thesis Defense, we pride ourselves on our expertise. Our team of security auditors have carried out hundreds of security audits for decentralized systems across a number of technologies including smart contracts, wallets + browser extensions, bridges, node implementations, cryptographic protocols, and dApps. We offer our services within a variety of ecosystems including Bitcoin, Ethereum + EVMs, Stacks, Cosmos / Cosmos SDK, NEAR and more.

To learn more about our services and get a free quote, schedule a call or email us @ defense@thesis.co. For more information about Thesis Defense, visit us on our website, blog and X (Twitter).