Re: Web Apps & Security

On Monday, April 15, 2013 at 10:41 AM, Dominique Hazael-Massieux wrote:

> Hi all,
>  
> Every so often, “security” is brought up as a space where Web apps lag
> behind native apps. For instance,
> http://au.businessinsider.com/the-state-of-html5-and-mobiles-future-2013-3 puts native ahead of HTML5 app in that field.
> http://www.infoworld.com/d/html5/11-hard-truths-about-html5-169665?page=0,0
>  
> Now, security is such a broad term that any number of things can be
> linked to it, but I think it would be useful to determine a few of the
> top most important use cases that can't be accomplished with Web apps
> due to the current state of security in the Web platform.
>  
> Things I've heard mention (but I hope to hear from more informed
> people):
> * it's impossible to store local data safely (e.g. with encryption and
> key management) — I assume this is something the Web Crypto API is
> addressing, but I'm not sure if it addresses all of it, or just some
> piece of an otherwise incomplete puzzle

I don't know if native apps do this either. You can "root" or jailbreak a phone and access just about any user data on a device. Also, apps delivered on various platforms are not somehow magically encrypted. For example, you can just go to iTunes, find the iOS apps, and open them in the finder and poke around. Takes like 5 clicks to access all their data and media - though not user media; I personally haven't tried to do that.
> * the code of your app is available to anyone, making it easier to
> tamper with it or to copy it; users themselves can exploit
> vulnerabilities e.g. via developer tools; content exposed through Web
> apps can't be DRM'd

Obfuscated JS can be almost as difficult to decipher as compiled code. Exploiting vulnerabilities through developer tools can also be done with a modem (e.g., you can record and trap traffic being sent over HTTP from a native app if it's not using SSL from your modem).  

No comment on the DRM stuff.   
>  
> * native apps can more easily avoid to ask you to login, and thus create
> less risks with regard to password storage / re-use

Depends. If they are using a Web view, which many of them do, then they might be just as likely to fall prey to XSS attacks. Maybe the guys from PhoneGap/Cordova might have some stories to share?  
> * apps obtained via an app store are curated, and thus less likely to
> represent a threat than a random Web app; consequently, users establish
> more trusts with native apps

That's called marketing :) Otherwise, there would have been no need for this: "Over 60,000 apps were recently deleted by Google and Developers to help maintain the integrity of their App Store."
https://exploreb2b.com/articles/google-cleans-play-store-by-removing-unwanted-apps

And that level of control can lead to the dark side… as we all know, there have been some questionable removals of apps (or banning of apps altogether) for dubious reasons. Imagine if one or two companies could just come along and turn off any random Website for any arbitrary reason. Scary.
> (there is the opposite argument that Web apps that live in the browser
> sandbox are less likely to get abusive access to the user private data;
> arguably, we need to be careful of not losing that advantage :)
>  
> Does that list seem complete? Can anyone give input as to what is
> already being done to address this, and what more we could do?

The sys apps runtime spec tries to address lifecycle management and many of the Web's security issues through CSP, but does not address some of the core issues (like making sure private data is encrypted on disk). *However*, AFAIK, browsers will encrypt private user data (e.g., localStorage) data on disk without the developer having to do anything. Of course, if you get XSS'd, that data can be stolen. Thankfully, using CPS can help mitigate the most common XSS attacks.  

Kind regards,
Marcos  

Received on Tuesday, 16 April 2013 19:15:48 UTC