Make room for IWA (Isolated Web Application)

Android apps. Linux packages. App delivery on ChromeOS has grown exponentially over the past few years, but one platform, in particular, has revolutionized app delivery across all operating systems. Of course, I’m talking about progressive web applications. PWAs have evolved to the point where it becomes difficult to distinguish them from locally installed executables.

As powerful and versatile as web applications have become, the fact remains that applications are still built on web standards and delivered from a server like any other web page. For most applications, this is not a problem. HTTPS protocols have become an industry standard and data transmitted between users and hosts is often secure. However, this does not mean that they are completely invulnerable to attacks that can put end users and servers at risk.

Enter IWA

IWA, or Isolated Web App, sounds like some sort of highly rated task force out of the Mission Impossible movie. However, it is really just a new form of web application being developed in the Chromium repository and Github. From the looks of things, it looks like Google and Microsoft are compiling this new type of web application with the goal of being an application that can be compiled into a web package and served differently than the traditional on-server method used for progressive web applications. Below is a brief description of the goal of isolated web applications.

This document suggests a way to build applications using standard web technologies that will have useful security features not available to regular web pages. They are initially called isolated web applications (IWAs). Instead of being hosted on direct web servers and fetched over HTTPS, these applications are packaged into web packages, signed by their developer, and distributed to end users through one or more of the potential methods described below.

I’m not going to sit here and pretend I have no understanding about how the new IWA works but from Git I can glean that these apps will be delivered as packages that are signed and verified by the respective developers. These packages can then be delivered in a variety of proposed methods. Four of them, you can find them below.

Iowa Possible Delivery Methods

  • A signed raw web package.
  • Bundled in a platform-specific installation format such as APK, MSI, or DMG.
  • They are distributed through a third-party operating system, browser, or “app store”.
  • It is installed automatically by the enterprise system configuration management infrastructure.

Besides the security offered by off-server delivery, IWA can also be designed to restrict access to third-party storage. This is achieved by customizing the “storage sheds” of the isolated application.

Apps may choose to make the isolated app act “like an app” only by allowing it to run in a stand-alone window and assigning a separate storage shed to it so that no third party storage is available from the user’s normal browsing session. Suggested changes to the web platform in general to reduce access to third party storage could eventually make the latter the default behavior for any asset.

This new type of web application is still in its early stages and I have no idea if or when we can see IWAs in the wild. The fact that Google and Microsoft are working together tells me that isolated web applications could, eventually, become standard for Chromium-based browsers. For companies looking for the most secure way to deliver web applications, IWA could be the future of application delivery. We’ll be watching closely and hopefully get some ideas from the Chromium team on how the project will evolve. stay tuned

%d bloggers like this: