Which Client? PWA vs Desktop vs Native App

Web client with BLF

The PWA (Progressive Web App) app

What is a PWA app?

PWA stands for Progressive Web Apps (PWAs). These are applications built using web technologies that can be installed and run on all devices from one codebase - in this case, our Web Client - which is also the basis for our Desktop App. A PWA provides native-like experiences and adapts to the capabilities supported by each device. Some characteristics:

What does the 3CX PWA app do

PWA - Must haves \ Must dos

What PWA can not do

Desktop App

What is the Desktop App (also referred to as the Electron app)? The desktop app is a repackaged web client using the Electron framework. It allows control of the browser version of the browser as well as access to operating system functions.

It was this app that got compromised in the 3CX supply chain attack. This had nothing to do with the Electron framework or indeed any of the components we shipped in the Desktop app. The Desktop App was compromised because our network had been attacked by a hacker group. Our investigator Mandiant assesses with high confidence that UNC4736 has a North Korean nexus. Read more about this here.

The compromised Desktop App has since been completely checked and cleaned and can be considered secure. We have put controls and procedures as well as tools in place to ensure supply chain attacks will not hit us again.

What the Desktop App can do in addition to the PWA

What the Desktop App can not do

What the Desktop App requires

Native App

3CX has native apps for all major operating systems - iOS, Android and Windows. These apps use SIP rather than WebRTC for calls. They operate entirely separate from the PBX using SIP authentication IDs rather than web authentication. This means that the maximum a hacker can do if it obtains access to these credentials is make and receive calls.

Whilst the iOS and Android apps are distributed via their app stores, the Windows app is distributed via the PBX. Currently, the native Windows app is also referred to as our Legacy app. This app works well and is secure, but has not been updated in a while. During the supply chain attack, this was a godsend. However, its architecture is out of date and needs to be redone.

We’re now considering developing a new native Windows app that will look and behave like the iOS and Android apps. It would be distributed via the Microsoft store. This makes it inherently secure not only because the store checks the security of the apps before uploading, but also because in case of a security event, it allows for a much faster and automatic response.

What the Native App can do in addition to Desktop or PWA app

What the Native App requires


Revision #3
Created 13 December 2023 15:54:18 by Vox Tandem Admin
Updated 31 October 2024 18:29:56 by Vox Tandem Admin