[ramchip]

> without involvement of any server

> bypassing the need for centralized servers

I don't follow this part... it's using a centralized server to serve the web app, which could easily serve JS code that steals confidential data right?

[jfoster]

That is true, but unless you develop an application yourself, it is always coming from somewhere else.

Web apps are better than native apps from a security perspective. Browsers have fairly decent built-in debugging tools that you could use to verify that data isn't being uploaded to a 3rd party.

On the other hand, to do the same with a native application you would need to use a separate network protocol analyzer application.

Web apps also run in a sandbox that users tend to have fairly good knowledge about. For example, they generally cannot access any file on your device unless you grant permission. What are the limits of the iOS, OSX, Android or Windows application sandboxes? Can apps on those platforms access files without explicit permission? I think the vast majority of users wouldn't be able to tell you.

[Retr0id]

> Web apps are better than native apps from a security perspective.

This isn't true. Sure, they have less access to the host system, but verifying the integrity and authenticity of a web app is harder than that of a native app, where code signing is commonplace (not that code signing is a whole solution, but it's a great start). Extensions[0] exist to improve the situation but it's not yet broadly applicable.

A compromised web app doesn't have to upload your data to a 3rd party, it just has to (for example) encrypt with weak keys. You'd never notice that from the network logs alone.

And while I agree that debug tooling for the web is great, there's a lot of great stuff for native code too. Ignoring "expert" tools entirely, a more user-facing example is Little Snitch[1], which handles the "detect data being sent to 3rd parties" use case.

[0] https://engineering.fb.com/2022/03/10/security/code-verify/

[1] https://www.obdev.at/products/littlesnitch/index.html

[hombre_fatal]

1) For ~everyone, the authenticity check for an app is simply whether it exists on an app store. I think the only time I ever checked the signature on software outside the app store is for my bitcoin wallet.

2) Legit trusted applications are already what siphons everyone’s content, not malware. At least in the browser there’s uBlock Origin and even a dev console.

Just some things to keep in mind when comparing the differences.

[Retr0id]

Right, and your device knows it came from the app store because of code signing.

[ramchip]

You have to trust the original developers either way, but the distribution mechanism is much weaker for a web app. The server / hosting platform can be compromised, the code can change at any time and even depend on the client that's connecting, and there's no software signing providing non-repudiation.

Not saying native apps are universally better, but I do think their treat model tends to be a better match for encrypted messaging. This comment on Signal explained it well: https://community.signalusers.org/t/google-to-retire-chrome-...

[realusername]

The signature doesn't mean much on the mobile store though, Apple and Google could modify anything they want, resign it and push a new app.

With the web you have to trust the app developer and with mobile you have to trust the app developer plus Google or Apple on top of that.

Fdroid is maybe the only exception to that.

[ramchip]

> With the web you have to trust the app developer

The linked comment goes into it, but you have to trust the web hosting platform, the CA ecosystem, etc. We're talking not just Apple/Google being able to attack you, but also China, and even some script kiddie with a Node.js exploit.

> with mobile you have to trust the app developer plus Google or Apple on top of that.

The OS/browser vendor can record what you're doing with a web app just as easily as a native app. Thankfully they have very strong incentives not to do so, and can usually be held accountable with code signatures (the non-repudiation part).

[realusername]

There's much much better transparency mechanisms on the CA system than Apple or Google though. While a CA attack is possible and does happen sometimes, the attacker pretty much burns the CA in the process.

For starters, there's not even automated reports of app signatures on mobile and no transparency authority at all.

[eviks]

With web you have to trust the developer on every visit of the website. With mobile you can pin the trust (with some effort) to a single point in time, big positive difference

[realusername]

I'm not aware of any major mobile platform which works like that though, maybe in theory it could be done but in practice it's all powers to the manufacturer which can modify or remove your apps at any time silently.

Unless maybe you are on some things like GrapheneOS and only install apps though fdroid, that's not really a mainstream configuration though.

[eviks]

How can they modify the app on your device silently?

[the8472]

You're extolling the virtues of web apps, but none of your points address the point that it requires centralized components. Which is an important point for something that advertises itself as P2P. Both to serve the application every time you open it and ICE servers for webrtc connection initialization every time you share a file.

A native p2p application needs to be downloaded or built once, from any place (say a git mirror) and bootstrap to its overlay network and then you're in.

[supportengineer]

Who is going to tell them. Your browser is a native app.

[dkraj]

Didn't get the part of steals confidential data?

It can not do anything without your permissions. All websites are well scoped and run in their private environment in a web browser.

[ramchip]

I mean the data people send through the app. You say:

> It is a p2p files and messages sharing platform without involvement of any server. It has end-to-end encryption, ensuring your messages and files remain confidential.

However the clients get the JS code from the web server. Since you control that server, you can change the code to disable the encryption, or send a copy of the messages somewhere else. You can even make the server give specific people / IPs one copy of the code and others a different copy.

Hence my point is there is a trusted centralized server involved.

[dkraj]

Got you so you want to say that the place where I have hosted is a centralised place and yes you are right. But I won't do that ~~~

[supportengineer]

Sure “you” won’t do that. But who are you? What if “you” changes? “You” could be the CIA or a Nigerian scammer. Nobody knows. And it can change at any moment.

[scrose]

Ah yes, we should completely trust the anonymous person who registered to the site 23 days ago and has done nothing other than submit half a dozen chrome extensions to the site since then