PWA Permissions: A much needed fix

As apps have developed over the years, so has our understanding of how they work and what’s in it for the developers. To begin with if you installed an app on your smartphone or PC then it usually came with a subtle set of terms that you agreed to when you start using the app. Within these terms they would explain that by using the app you agreed to what data the app could send back to its developers and what elements of the smartphone it could use. Then as platforms progressed, especially Android, users were given more tools and control over what the app could get access to. Now when you install an Android app you are asked if it can access elements like the camera, microphone, storage or location. Denying access may limit the apps capabilities, but ultimately you are in control.

Enter the PWA problem.

With PWA’s gaining more and more backing from the larger platforms and app developers, then focus needs to be centered around the privacy concerns they may come with. I’m going to focus on the way in which Android handles PWA permissions, assuming other platforms are in a similar boat.

If you haven’t read other articles about PWA’s then you are probably scratching your head at this point , I’d recommend reading this. Essentially PWA’s are a new breed of web app that will work across any platform, via a modern web browser and behave just like a native app.

The thought crossed my mind when I was trying out Instagram Lite. A PWA version of Instagram, essentially I was trying out all its features, curious to know how the camera handled. All seemed fine, until I realized, it hadn’t asked for permission. I entered the apps info page to find the permissions tab, whilst visible, it was grayed out, with no permissions available. It then dawned on me that Instagram Lite was effectively in a Chrome container. Heading to Chrome’s info page I disabled the camera permission, headed back to Instagram Lite and sure enough it requested me to give “Chrome” access to the camera.

pwa permissions

So why is this a big deal?

Well whilst Instagram might only be half an app without camera access and giving it access to storage as well is natural, I’m not just giving Instagram access, I’m giving every website I visit the opportunity to get access to these components. Whilst Chrome remains the master app for handling permissions, all PWA’s will be treated the same. This is a huge step back for privacy control in a time when people are least trusting with app makers such as Facebook following recent scandals.

It seems, since the PWA has a grayed out permissions area, that a future update may allow for PWA’s to be treated more like individual apps with their own privacy controls, but for now it can’t be done.

The only way around it for now, if you have concerns about browser permissions, yet wish to continue using PWA’s would be to give Chrome the permissions required for the apps to work, but use another browser app such as Brave or Firefox and limit the permissions for that browser instead.

Leave your comments below on your thoughts or info you may have on this topic. I’d be interested to know how other platforms are approaching this matter.