Web Apps & Security

Hi all,

Every so often, “security” is brought up as a space where Web apps lag
behind native apps. For instance,
http://au.businessinsider.com/the-state-of-html5-and-mobiles-future-2013-3 puts native ahead of HTML5 app in that field.
http://www.infoworld.com/d/html5/11-hard-truths-about-html5-169665?page=0,0

Now, security is such a broad term that any number of things can be
linked to it, but I think it would be useful to determine a few of the
top most important use cases that can't be accomplished with Web apps
due to the current state of security in the Web platform.

Things I've heard mention (but I hope to hear from more informed
people):
* it's impossible to store local data safely (e.g. with encryption and
key management) — I assume this is something  the Web Crypto API is
addressing, but I'm not sure if it addresses all of it, or just some
piece of an otherwise incomplete puzzle

* the code of your app is available to anyone, making it easier to
tamper with it or to copy it; users themselves can exploit
vulnerabilities e.g. via developer tools; content exposed through Web
apps can't be DRM'd 

* native apps can more easily avoid to ask you to login, and thus create
less risks with regard to password storage / re-use

* apps obtained via an app store are curated, and thus less likely to
represent a threat than a random Web app; consequently, users establish
more trusts with native apps

(there is the opposite argument that Web apps that live in the browser
sandbox are less likely to get abusive access to the user private data;
arguably, we need to be careful of not losing that advantage :)

Does that list seem complete? Can anyone give input as to what is
already being done to address this, and what more we could do?

Thanks,

Dom

Received on Monday, 15 April 2013 09:42:14 UTC