Make way for the IWA (Isolated Web App)

Android applications. Linux packages. Applications delivery on ChromeOS has grown exponentially over the past few years but one platform, in particular, has revolutionized app delivery across all operating systems. Of course, I’m talking about Progressive Web Apps. PWAs have evolved to the point that it’s becoming increasingly difficult to discern between them and natively installed executables.

As powerful and versatile as web apps have become, the fact remains that the applications are still built on web standards and delivered from a server like any other web page. For most applications, this isn’t a problem. HTTPS protocols have become an industry standard and the data transferred between users and hosts are, for the most part, safe. However, that doesn’t mean that they are entirely insusceptible to attacks that can compromise end-users and servers.

Enter the IWA

IWA, or Isolated Web App, sounds like some sort of highly-classified task force from a Mission Impossible movie. However, it’s really just a new form of web app that is being developed in the Chromium repository and Github. From the look of things, Google and Microsoft appear to be tag-teaming this new type of web app with the purpose being an application that can be packaged in a web bundle and delivered in a manner that’s different from the traditional on-server method used for Progressive Web Apps. Here’s a short description of the goal of Isolated Web Apps.

This document proposes a way of building applications using web standard technologies that will have useful security properties unavailable to normal web pages. They are tentatively called Isolated Web Apps (IWAs). Rather than being hosted on live web servers and fetched over HTTPS, these applications are packaged into Web Bundles, signed by their developer, and distributed to end-users through one or more of the potential methods described below.

I am not going to sit here and pretend that I have any grasp on how the new IWA is going to work but from the Git I can glean that these applications will be delivered as packages that are signed and verified by their respective developers. These packages can then be delivered in a variety of proposed methods. Four of which, you can find below.

IWA potential delivery methods

• A raw signed Web Bundle.
• Packaged into a platform-specific installation format such as an APK, MSI or DMG.
• Distributed through an operating system, browser or third-party “app store”.
• Automatically installed by enterprise system configuration management infrastructure.

Along with the security provided by off-server delivery, IWAs can also be designed to restrict access to third-party storage. This is achieved by assigning “storage sheds” to the isolated app.

Implementations may choose to make an isolate app behave more “app-like” by only allowing them to be launched in a standalone window and assigning them a separate storage shed so that third-party storage from the user’s normal browsing session is not available. Proposed changes to the web platform in general to reduce access to third-party storage could eventually make the latter the default behavior for any origin.

This new type of web app is still in its infancy and I have no idea if or when we may see IWAs out in the wild. The fact that Google and Microsoft are working together tells me that Isolated Web Apps could, eventually, become and standard for Chromium-based browsers. For companies looking for the most secure method to deliver web apps, the IWA could be the future of app delivery. We’ll keep a close watch and hopefully, get some insight from the Chromium team on how the project is evolving. Stay tuned.