Over the years Google Play Protect has established itself as one of the most effective solutions to protect Android devices from malicious apps and phishing attempts, however, the evolution of the web and the growing adoption of the progressive web apps (PWA) have opened new scenarios, not always free from risks.

In the last few hours, the analysis of the code of the V46.9.9.20-31 version of the Google Play Store has revealed interesting clues on a possible novelty, intended to further strengthen the safety of Android users.

Follow Google Italia on Telegram, Receive news and offers first

Le Pwa under the Google Play Protect magnifying glass

As many of you will know, the progressive web apps are web applications that can be installed on the mobile device directly from the browser, through the classic button Add to home screen; In some cases, especially using Chrome, the installation generates a Webapk, that is, a package that integrates the PWA in a deeper way inside Android, making it almost indistinguishable from a native app.

According to what emerged from the analysis of the code of the version already mentioned of the Play Store, Google would be working on one Specific function to scan Pwa and Webapk during installationlooking for any suspicious or harmful behavior; In detail the following flag was identified:

Playprotect__Anable_gpp_install_Verification_For_pwa

A rather explicit wording, which would leave few doubts about the company’s intentions to extend the protection of Play Protect also to web applications.

The reason for this choice could reside in growing diffusion of phishing attempts and data theft put in place through PWA and Webapkit is an attack carrier that has remained largely excluded from the systematic control checks of Play Protect to date, since the PWAs do not pass through the traditional publication on the Play Store. In other words, anyone can create a PWA and make it install users without particular security barriers.

Google has not yet clarified what ways to adopt to verify the reliability of the PWAs, it is known that Play Protect uses a large database to compare Android apps and detect tampering, malware or other threats, but building an equally detailed archive for the PWA universe appears, at the moment, a decidedly more complex operation.

Although the identified code suggests an implementation now in an advanced development phase, the functionality is not yet active and may not be released publicly; In fact, there are numerous aspects to clarify, how will the scanning process of the PWAs be managed? What criteria will be used to establish the danger of a webapk? What will the balance between security and freedom of installation of web applications be guaranteed?

On the other hand, Google’s growing interest in this issue suggests that the company is working to fill an increasingly evident gap in the protection strategy of Android users.

At the moment there are no official communications or certain timing on the arrival of this novelty, however if the function should see the light could represent a decisive step to make Android even safer against the threats that hide behind the PWA and the Webapk.