A security researcher has discovered a phishing attack intended to fool iPhone users into installing what is claimed to be an update to their banking app.
The attack works despite iOS protections because what is actually being ‘installed’ is a progressive web app, which involves no App Store vetting or warnings …
Progressive Web Apps (PWAs)
Progressive web apps are essentially websites which look and act like apps. Indeed, when the iPhone first launched back in 2007, PWAs were the only way for a third-party developer to launch an app.
Apple co-founder Steve Jobs had this to say about them at the time:
“The full Safari engine is inside of iPhone. And so, you can write amazing Web 2.0 and Ajax apps that look exactly and behave exactly like apps on the iPhone. And these apps can integrate perfectly with iPhone services. They can make a call, they can send an email, they can look up a location on Google Maps.
And guess what? There’s no SDK…”
Source 9to5mac.com