The Invisible Risk of Mobile Apps: PWA Fraud and How to Prevent It

Almost a decade after their emergence, Progressive Web Apps (PWAs) finally went mainstream in 2024. Their MO? To compete with, and in some cases replace native apps.

To do this, PWAs promise to combine the best features of web and native mobile apps, delivering seamless, reliable, and engaging experiences across all devices and platforms.

Cross-platform compatibility, direct distribution, cost and maintenance advantages – it all sounds very alluring. But, without ruining the PWA party, it’s worth asking: what’s the catch? Are Progressive Web Apps safe?

As we’ll discuss, one of PWAs’ claimed advantages is, unfortunately, also their Achilies’ heel.
We’ll get to that. First, the basics.

What Are Progressive Web Apps?

Progressive Web Apps are a type of web application that bring together the best features of web and mobile apps, offering seamless, app-like experiences directly in web browsers.

PWAs are designed to be fast, reliable, and engaging, even in poor network conditions. They can be installed on a user’s device, work offline, and send push notifications, all without the need for downloading through an app store.

Progressive Web Apps vs native apps

PWAs are built using standard web technologies like HTML, CSS, and JavaScript, making them accessible to developers with web development skills. Unlike traditional web apps, PWAs are designed to deliver a native app-like experience by leveraging modern web capabilities.

A core feature of PWAs is service workers, which are background scripts that handle tasks such as caching resources and synchronizing data in the background. This allows PWAs to function offline and provide a consistent user experience even in low-connectivity environments.

Another critical component is the web app manifest, a JSON file that defines the app’s metadata, such as its name, icons, and start URL. This manifest allows PWAs to be installed on a user’s home screen and run in a standalone window, creating an experience similar to that of native apps.

Progressive Web Apps vs native apps: three key differences

While PWAs use the same foundational technologies as traditional websites, their ability to offer a responsive, app-like experience directly through the browser—without the need for app store downloads—sets them apart from both traditional web apps and native apps.

Keep that last part in mind. As we’ll discover, one of PWAs’ most obvious advantages turns out to be a less obvious vulnerability few people are talking about.

First, to preface, here are three key differences of Progressive Web Apps vs native apps.

1. Native apps have higher development and maintenance costs

Native apps: are developed for specific platforms (iOS, Android) using platform-specific languages like Swift for iOS or Kotlin for Android. This often means maintaining separate codebases for each platform, incurring higher development and maintenance costs.

PWAs: are built using standard web technologies like HTML, CSS, and JavaScript, making them easier and more cost-effective to develop and maintain. A single codebase can serve all platforms (desktop, mobile, tablet), reducing development time and costs.

2. PWAs are more ‘discoverable’ through traditional SEO

Native Apps: are discoverable through user app store searches, but can’t be optimized to be found in traditional search engines.

PWAs: on the other hand, are actively indexed by search engines, making them discoverable through web searches. This can be a significant advantage for app developers looking to improve their online visibility and reach.

3. PWAs don’t require app store approval

Native apps: must go through a rigorous approval process to be listed in app stores. While this ensures a level of quality and security, it can also delay the release of updates and make it harder to get the app to market quickly.

PWAs: since they’re distributed through the web, PWAs don’t require app store approval, allowing for faster updates and deployment.

PWA fraud: the downside of no app store approval 

Faster time-to-market, global reach, greater flexibility – PWAs offer undeniable convenience. While rapid web-based deployment brings attractive advantages, it’s a double-edged sword – one that’s often drowned out by the tech bro fanfare.

In short, bypassing your favorite app store means bypassing critical security controls.

Unlike apps downloaded from official app stores, PWAs bypass rigorous security vetting processes implemented by the likes of Google or Apple – and bad actors are exploiting this.

Once a user is lured into using the fake PWA through techniques like clone phishing, their banking credentials and other sensitive information are at risk of being harvested.

Real-world incidents – like those first observed in Poland in 2023 – illustrate the ease with which fraudsters now leverage PWA scams to steal bank credentials from iOS and Android users.

The techniques used were the usual suspects – smishing, malvertising, and fake update notifications to trick users into installing malicious PWAs mimicking legitimate banking apps. What’s more alarming is the fact that users have been habituated by app stores to take app authenticity pre-vetting for granted.

Protect revenue, brand equity, and users from PWAs fraud in real-time

To counter the growing threat of fake PWAs, real-time digital impersonation protection has emerged as the go-to answer, capable of performing real-time checks to identify unauthorized attempts to replicate or manipulate an app’s functionality.

Memcyco’s real-time digital impersonation protection also uses advanced decoy data to automatically swap potentially exposed user credentials and card data at the point of impact, effectively neutralizing the value of any data compromised through fake PWAs.

This proactive approach not only protects sensitive information but also disrupts the effectiveness of fake PWA scams, safeguarding both businesses and their customers from digital impersonation fraud.

To see Memcyco in action, request a demo.
We’ll show you why and how global businesses replace their current solution with Memcyco.

Arthur Zavalkovsky

VP of Product at Memcyco