Skip to main content

Which Client? PWA vs Desktop vs Native App

Web client with BLF Web client with BLF

Many users followed our advice to deploy our PWA web app mode instead of our Desktop App during the attack. Following this, we learned more about deploying in this mode. I wanted to share some of the things we’ve seen and give some background and suggestions on which is the best to use according to the situation.

The PWA (Progressive Web App) app

What is a PWA app?

PWA stands for Progressive Web Apps (PWAs). These are applications built using web technologies that can be installed and run on all devices from one codebase - in this case, our Web Client - which is also the basis for our Desktop App. A PWA provides native-like experiences and adapts to the capabilities supported by each device. Some characteristics:

  • Works on Chrome and Microsoft Edge Chromium.
  • Runs securely within the browser in its security framework and libraries.
  • Zero admin - automatically updates.
  • No local installation needed - no install or uninstall.
  • Runs in the background and supports Push Notifications.

What does the 3CX PWA app do

  • Fully functional 3CX client that feels/looks like a native app.
  • Starts automatically upon starting the browser.
  • Notifies user of incoming calls via a PUSH notification message box.
    • No need to be logged in to 3CX or even have the tab open.
    • In case of Edge, browser will be started if not active.
    • In the case of Chrome browser must be running.
  • Launch calls in CRM or websites via Click2Call extension.
  • Calls can be auto answered.
  • Supports SSO.
  • Fully supports Yealink, Jabra and soon Plantronics headsets.
  • PWA works great on Microsoft Terminal Server - Read how to mass deploy.
  • To be added in update 7a: Dialer will include the BLF panel.
  • To be added in update 8: Be launched via the tel: protocol by 3rd party external apps.

PWA - Must haves \ Must dos

  • PWA will only work for installations that have a fully qualified domain and a valid SSL certificate.
    • If you host 3CX in the cloud using a 3CX certificate, this is automatic.
    • If you have an on-premise installation, you must have configured Split DNS with a valid 3CX certificate or custom certificate. You are gonna need this anyway, sooner or later!
  • You must set Google or Edge to auto start upon login to the OS. Here’s how.

What PWA can not do

  • Capture focus on incoming calls - Unfortunately, we have not found a way around this.
  • Microsoft Tapi Integration for some older CRM/Accounting applications such as Datev.
  • Launch External Applications upon receiving a call.

Desktop App

What is the Desktop App (also referred to as the Electron app)? The desktop app is a repackaged web client using the Electron framework. It allows control of the browser version of the browser as well as access to operating system functions.

It was this app that got compromised in the 3CX supply chain attack. This had nothing to do with the Electron framework or indeed any of the components we shipped in the Desktop app. The Desktop App was compromised because our network had been attacked by a hacker group. Our investigator Mandiant assesses with high confidence that UNC4736 has a North Korean nexus. Read more about this here.

The compromised Desktop App has since been completely checked and cleaned and can be considered secure. We have put controls and procedures as well as tools in place to ensure supply chain attacks will not hit us again.

What the Desktop App can do in addition to the PWA

  • Capture focus on incoming calls.
  • Launch External Applications upon receiving a call.
  • Dial or transfer using hotkeys.
  • Allow for the dialer dialog to be moved around the screen separately from the main screen.

What the Desktop App can not do

  • TAPI - ability to be launched by TAPI capable apps.
  • If you close the app, then you will not be notified of incoming calls.

What the Desktop App requires

  • Network wide antivirus and controls in case of emergency

Native App

3CX has native apps for all major operating systems - iOS, Android and Windows. These apps use SIP rather than WebRTC for calls. They operate entirely separate from the PBX using SIP authentication IDs rather than web authentication. This means that the maximum a hacker can do if it obtains access to these credentials is make and receive calls.

Whilst the iOS and Android apps are distributed via their app stores, the Windows app is distributed via the PBX. Currently, the native Windows app is also referred to as our Legacy app. This app works well and is secure, but has not been updated in a while. During the supply chain attack, this was a godsend. However, its architecture is out of date and needs to be redone.

We’re now considering developing a new native Windows app that will look and behave like the iOS and Android apps. It would be distributed via the Microsoft store. This makes it inherently secure not only because the store checks the security of the apps before uploading, but also because in case of a security event, it allows for a much faster and automatic response.

What the Native App can do in addition to Desktop or PWA app

  • Capture focus on incoming calls.
  • Launch External Applications upon receiving a call.
  • TAPI - ability to be launched or be launched from TAPI capable apps.

What the Native App requires

  • Local admin rights to install the app.
  • Provisioning via PNP on local LAN OR download of config file (U8).