What is a PWA, and is it safe to install?

Some websites may show a small banner or prompt asking you to install a PWA. PWA stands for Progressive Web App. In plain English, this usually means the website can open more like an app, with its own icon, Start Menu entry, taskbar shortcut, or app style window.

Installing a PWA is not automatically unsafe, but it is not something to accept without checking. A genuine service may offer a PWA for convenience. A fake or misleading website may also use an app like prompt to appear more trustworthy.

This guide explains what a PWA is, why you may be asked to install one, when it can be useful, when it may be risky, and what individuals and small businesses should check before accepting the prompt.

Use the links below to jump to the section most relevant to your question.

• What is a PWA?
• Why is a website asking me to install one?
• Is a PWA the same as installing a normal app?
• Is it safe to install a PWA?
• When should you avoid installing a PWA?
• Can malicious websites abuse PWAs?
• What can a PWA do after it is installed?
• Should small businesses allow staff to install PWAs?
• How do I remove a PWA?
• What this does not mean
• Further reading
• Need help with something covered in this guide?
• Further Guidance and Support

A PWA is a Progressive Web App. It is a website that has been designed so it can behave more like an app on your device.

Instead of always opening the website in a normal browser tab, a PWA may open in its own app style window. It may also appear in the Start Menu, on the taskbar, on the desktop, or in the browser’s apps list.

This can make a website feel more like a normal application, but it is still based on web technology. In most cases, it still depends on the browser and the website behind it.

A website may offer a PWA because the owner wants the service to be easier to open and use. This can be useful for web based services that people use regularly, such as email, messaging, cloud storage, project systems, or online business tools.

For example, Microsoft allows Outlook on the web to be installed as a PWA in Microsoft Edge and Google Chrome. This lets the web version of Outlook open more like a desktop app, even though it is still the web version of Outlook.

Common reasons a website may offer a PWA include quicker access, an app style window, taskbar or Start Menu shortcuts, notifications, and sometimes limited offline use. These features can be convenient, but they also mean the install prompt should be treated as a decision rather than a harmless click.

No. A PWA may look like a normal app, but it is not the same as installing a traditional desktop application.

A normal desktop app is usually installed as software on the computer. A PWA is usually a website that opens through browser technology. It may have an icon and its own window, but it still relies on the browser engine and the website it came from.

This difference matters because people may assume that anything appearing as an app has gone through the same checks as an app from an official app store or a managed business software deployment. That is not always the case.

A PWA can be safe when it comes from a genuine website that you already know and intended to use. For example, installing a PWA from the real Outlook website is very different from installing something offered by an unexpected pop up or unknown website.

The main question is not only whether PWAs are safe as a technology. The more useful question is whether the specific website offering the PWA is genuine, expected, and appropriate for the device you are using.

Before installing a PWA, check that you recognise the website, reached it deliberately, and understand why you want it installed. If the prompt appeared unexpectedly, or came after clicking an email link, advert, warning message, or pop up, it is safer not to install it.

You should avoid installing a PWA when the prompt appears in a situation you do not fully recognise. This is especially important when the website is asking you to sign in, approve security changes, or trust a service you did not intend to open.

Avoid installing a PWA if any of the following apply:

1. 1. You reached the site from an unexpected email or text message.
   2. The prompt appeared after clicking an advert, pop up, or sponsored result.
   3. The website claims there is an urgent security problem with your account or device.
   4. The website is pretending to be a bank, parcel company, antivirus tool, Microsoft support page, or account verification service.
   5. You do not recognise the website address.
   6. The website asks for permissions that do not make sense for what it is supposed to do.
   7. The prompt appears on a work device and you are not sure whether the business allows browser based apps to be installed.

These checks do not mean every PWA is suspicious. They simply help separate expected installation prompts from prompts that may be part of a misleading or unsafe website.

Yes. Malicious or misleading websites can abuse the way PWAs look and feel. A fake website may use an app like prompt to appear more trustworthy, especially if the PWA opens without the normal browser address bar.

This matters because the address bar is one of the main ways people check whether they are on the correct website. If the normal browser controls are less visible, a fake page may feel more convincing than it would inside a normal browser tab.

Security researchers have described phishing techniques where PWAs are used to imitate trusted services and capture passwords. This does not mean every PWA is dangerous. It means the app like appearance can make a fake website harder for some users to recognise.

A PWA can do different things depending on how the website was built and what permissions the user allows. Some PWAs are simple shortcuts. Others can use more browser features.

A PWA may be able to:

1. 1. Open in its own app style window.
   2. Appear in the Start Menu, taskbar, desktop, or browser apps list.
   3. Show notifications if you allow them.
   4. Store some website data on the device.
   5. Work partly offline if the website supports it.
   6. Use background browser components that help the app load, cache content, or update.
   7. Request permissions such as camera, microphone, location, or notifications, depending on the service.

This is why PWAs should not be treated only as ordinary bookmarks. They may be useful, but they can also leave behind app entries, site data, permissions, and notifications that need to be reviewed if something looks wrong.

Small businesses should treat PWAs in a similar way to browser extensions, notification permissions, and other browser based features. They are not automatically bad, but they should not be installed freely on work devices without a clear reason.

For a small business, the main concern is consistency and visibility. If staff install different web apps independently, it can become harder to know which tools are being used, where data is being entered, what permissions have been granted, and whether a login page is genuine.

A sensible approach is to allow PWAs only when there is a business reason and the website is known. On managed devices, it may be appropriate for IT support to restrict user installed web apps and approve only the services the organisation actually needs.

This is not a permanent checklist. Browser features, web app behaviour, phishing methods, and security controls change over time. Small businesses should review browser settings, installed web apps, notifications, extensions, saved passwords, and security controls periodically as part of a layered security approach.

If you installed a PWA by mistake, removing only the shortcut may not be enough. It is also worth checking the browser app list and the permissions given to the website.

In Microsoft Edge, open Edge and review the installed apps section. You can also type edge://apps into the address bar to view apps installed through Edge.

In Google Chrome, open Chrome and review the installed apps section. You can also type chrome://apps into the address bar to view apps associated with Chrome.

In Windows, also check Settings, Apps, Installed apps. Some browser installed web apps may appear there like normal applications.

After removing the PWA, check the site permissions in the browser. Pay particular attention to notifications, camera, microphone, location, and any other permission that does not seem necessary. If the PWA came from a suspicious website, clear the site data for that website as well.

This does not mean every PWA is dangerous. Many PWAs are legitimate and useful. Outlook PWA, for example, is a supported way of using Outlook on the web when installed from the genuine Microsoft Outlook website.

It also does not mean every website install prompt should be blocked in every situation. Some people may prefer a web app because it is quick to open and keeps a frequently used service separate from normal browser tabs.

The concern is not the PWA technology by itself. The concern is whether the website is genuine, whether the prompt was expected, whether the device is personally owned or used for work, and whether the user understands what they are accepting.

These references provide additional background for anyone who wants to review the topic in more detail.

Microsoft Support explains that Outlook on the web and Outlook.com can be installed as a Progressive Web App in Microsoft Edge and Google Chrome.

Microsoft Q&A includes a plain language explanation that Outlook PWA allows the Outlook web service to be launched as a standalone app style shortcut and does not affect locally installed Office applications.

Kaspersky has described phishing techniques where Progressive Web Apps can be used to imitate browser windows and make fake login pages appear more convincing.

Panda Security has warned that malicious web apps can imitate legitimate services and that users should install PWAs only from trusted sources.

A guide can explain the issue and outline useful checks, but some situations need the actual device, account, service, website, network or supplier arrangement to be reviewed. Evening Computing can help review what is happening and advise on suitable next steps before changes are made.

This guide forms part of a broader layered security approach. For structured guidance on security and resilience planning, see our Security and Resilience page.

For information about practical implementation and ongoing support, you can review our IT services and local IT support coverage across London, Hertfordshire, and Essex.

Return to all guides

Author
Elías Sánchez
IT Support Consultant
Evening Computing
London, United Kingdom

This guide was prepared by Elías Sánchez with research and drafting assistance from AI tools. All technical content has been reviewed and adapted for clarity and accuracy.

Last reviewed
10 June 2026