Re: Web Apps & Security from Wayne Carr on 2013-04-15 (public-closingthegap@w3.org from April 2013)

From: Wayne Carr <wayne.carr@linux.intel.com>
Date: Mon, 15 Apr 2013 08:05:21 -0700
To: public-closingthegap@w3.org
Message-ID: <516C1731.50007@linux.intel.com>

On 4/15/2013 2:41 AM, Dominique Hazael-Massieux wrote:
> Hi all,
>
> Every so often, “security” is brought up as a space where Web apps lag
> behind native apps. For instance,
> http://au.businessinsider.com/the-state-of-html5-and-mobiles-future-2013-3 puts native ahead of HTML5 app in that field.
> http://www.infoworld.com/d/html5/11-hard-truths-about-html5-169665?page=0,0
>
> Now, security is such a broad term that any number of things can be
> linked to it, but I think it would be useful to determine a few of the
> top most important use cases that can't be accomplished with Web apps
> due to the current state of security in the Web platform.
>
> Things I've heard mention (but I hope to hear from more informed
> people):
> * it's impossible to store local data safely (e.g. with encryption and
> key management) — I assume this is something  the Web Crypto API is
> addressing, but I'm not sure if it addresses all of it, or just some
> piece of an otherwise incomplete puzzle

I think Web Crypto would enable an app to do it itself, but that doesn't 
mean a simpler high level API to do it more simply (for the developer) 
isn't useful.

>
> * the code of your app is available to anyone, making it easier to
> tamper with it or to copy it; users themselves can exploit
> vulnerabilities e.g. via developer tools; content exposed through Web
> apps can't be DRM'd

things people mention are game developers not wanting to expose private 
details of their games, or worrying about cheating at games.  I don't 
know if it would be enough to have something like web workers that ran 
in a secure environment (can't see or tamper with the code).



>
> * native apps can more easily avoid to ask you to login, and thus create
> less risks with regard to password storage / re-use
>
> * apps obtained via an app store are curated, and thus less likely to
> represent a threat than a random Web app; consequently, users establish
> more trusts with native apps
>
> (there is the opposite argument that Web apps that live in the browser
> sandbox are less likely to get abusive access to the user private data;
> arguably, we need to be careful of not losing that advantage :)
>
> Does that list seem complete? Can anyone give input as to what is
> already being done to address this, and what more we could do?
>
> Thanks,
>
> Dom
>
>
>
>

Received on Monday, 15 April 2013 15:05:49 UTC