TL;DR Google could soon extend Play Protect to scan PWAs and WebAPKs during installation.

This new feature could protect users from malicious PWAs used for phishing and data theft.

Google has been silently protecting most Android devices through Google Play Protect, scanning the apps that users have installed, and warning them of nefarious ones. While platform-native apps remain the most popular method to access a service, Progressive Web Apps (PWAs) remain a good web-centric alternative. Unfortunately, bad actors will exploit any medium they can lay their hands on, and it becomes imperative for Google to protect its user base. We’ve now spotted code that suggests that Google Play Protect will start scanning Progressive Web Apps during installation to check for security issues, adding one more layer of security for users.

Google Play Store v46.9.20-31 includes the following code:

Code Copy Text PlayProtect__enable_gpp_install_verification_for_pwa

Here, PWA refers to Progressive Web Apps. The flag would enable Play Protect to verify the PWAs during their installation. Yes, PWAs can be installed on a device, usually through an “Add to Home screen” button from the browser app. If you do this through Chrome on Android, you get a WebAPK, which gives the PWA a space in your app drawer (in addition to the space on the home screen) and integrates it more deeply into the Android system than a regular PWA.

We also spotted code bits hinting at WebAPK scanning:

AssembleDebug / Android Authority

While the code mentions scanning PWAs and WebAPKs, it doesn’t explain why Google would want to do so. There have been reports of malicious actors using PWAs and WebAPKs to phish and steal user information, so it’s possible that Google could be aiming to protect its users from such phishing attempts by proactively warning them whenever a bad PWA or WebAPK is installed.

There are plenty of other questions to answer, like how PWA and WebAPK scanning would work if this does roll out. For usual apps distributed through the Play Store, Google already has an extensive database of apps against which it can check for tampering and other threats through Play Protect. Such a database is difficult to envisage for the entirety of the PWA universe, so we’re curious to know how Google plans to approach this if it goes ahead.

PWA and WebAPK scanning are not currently available in Play Protect, and Google has not announced the feature either. We’ll update you when we learn more.

