- From: Dominique Hazael-Massieux <dom@w3.org>
- Date: Wed, 17 Apr 2013 10:19:16 +0200
- To: Marcos Caceres <w3c@marcosc.com>
- Cc: public-closingthegap@w3.org
Hi Marcos, Le mardi 16 avril 2013 à 20:15 +0100, Marcos Caceres a écrit : > > * it's impossible to store local data safely (e.g. with encryption and > > key management) — I assume this is something the Web Crypto API is > > addressing, but I'm not sure if it addresses all of it, or just some > > piece of an otherwise incomplete puzzle > > I don't know if native apps do this either. Android for instance provides a KeyStore interface that lets app save private keys they can then use to encrypt their user data: http://developer.android.com/training/articles/security-tips.html#StoringData http://developer.android.com/reference/java/security/KeyStore.html > You can "root" or jailbreak a phone and access just about any user > data on a device. Not if they're encrypted (or at least, not trivially). > > * the code of your app is available to anyone, making it easier to > > tamper with it or to copy it; users themselves can exploit > > vulnerabilities e.g. via developer tools; content exposed through Web > > apps can't be DRM'd > > Obfuscated JS can be almost as difficult to decipher as compiled code. Is that an opinion, or a proved fact? (I'm asking to understand whether this is a case where what is needed is just better outreach, or something else) > Exploiting vulnerabilities through developer tools can also be done > with a modem (e.g., you can record and trap traffic being sent over > HTTP from a native app if it's not using SSL from your modem). But that's only possible when the data traffic is not encrypted, and the type of exploitable vulnerabilities seem also much smaller. > > > > * native apps can more easily avoid to ask you to login, and thus create > > less risks with regard to password storage / re-use > > Depends. If they are using a Web view, which many of them do, then > they might be just as likely to fall prey to XSS attacks. Maybe the > guys from PhoneGap/Cordova might have some stories to share? My point wasn't so much about XSS as much as about identity management; that being said, XSS is a problem that is often mentioned with regard to the lack of security in Web apps; and in fact, that risk is often mentioned as a risk specifically associated with hybrid apps (and thus counts negatively to "HTML5"-based apps in general). CSP should indeed help for apps deployed via HTTP; and hopefully SysAPps will provide an equivalent for packaged apps, which hopefully can also be used by PhoneGap/Cordova; but that's a lot of hope to have — maybe another space where we can help? > > * apps obtained via an app store are curated, and thus less likely to > > represent a threat than a random Web app; consequently, users establish > > more trusts with native apps > > That's called marketing :) Otherwise, there would have been no need > for this: "Over 60,000 apps were recently deleted by Google and > Developers to help maintain the integrity of their App Store." > https://exploreb2b.com/articles/google-cleans-play-store-by-removing-unwanted-apps You could argue that the fact they removed these 60000 apps shows they're indeed curating the content and making it less likely for people to get attacked. > And that level of control can lead to the dark side… as we all know, > there have been some questionable removals of apps (or banning of apps > altogether) for dubious reasons. Imagine if one or two companies could > just come along and turn off any random Website for any arbitrary > reason. Scary. Yeah, no doubt about that. To be clear, I'm not trying to defend the native app model :) I'm trying to see if we can have an effect on the places where Web apps are perceived to be less secured than native apps; that effect can derive either from filling a gap if there is one, or looking at how to change the perceptions if in fact there is no gap. > *However*, AFAIK, browsers will encrypt private user data (e.g., > localStorage) data on disk without the developer having to do > anything. That's not what I'm seeing; at least my Firefox 20 has all my indexed db available right there in my firefox directory without any encryption. What key would they use to do so in any case? (I guess that for users that use a master password, they could it as the seed for the key used to encrypt the data, but that's only a minority of users) Also worth noting: since a browser runs multiple-apps in a single app context, it doesn't benefit from some of the sandboxing that the underlying platform provides (e.g. on Android, a per-app user id that moves the isolation up to the kernel level http://source.android.com/tech/security/index.html#the-application-sandbox ) Dom
Received on Wednesday, 17 April 2013 08:19:35 UTC