[jfoster]

That is true, but unless you develop an application yourself, it is always coming from somewhere else.

Web apps are better than native apps from a security perspective. Browsers have fairly decent built-in debugging tools that you could use to verify that data isn't being uploaded to a 3rd party.

On the other hand, to do the same with a native application you would need to use a separate network protocol analyzer application.

Web apps also run in a sandbox that users tend to have fairly good knowledge about. For example, they generally cannot access any file on your device unless you grant permission. What are the limits of the iOS, OSX, Android or Windows application sandboxes? Can apps on those platforms access files without explicit permission? I think the vast majority of users wouldn't be able to tell you.

[Retr0id]

> Web apps are better than native apps from a security perspective.

This isn't true. Sure, they have less access to the host system, but verifying the integrity and authenticity of a web app is harder than that of a native app, where code signing is commonplace (not that code signing is a whole solution, but it's a great start). Extensions[0] exist to improve the situation but it's not yet broadly applicable.

A compromised web app doesn't have to upload your data to a 3rd party, it just has to (for example) encrypt with weak keys. You'd never notice that from the network logs alone.

And while I agree that debug tooling for the web is great, there's a lot of great stuff for native code too. Ignoring "expert" tools entirely, a more user-facing example is Little Snitch[1], which handles the "detect data being sent to 3rd parties" use case.

[0] https://engineering.fb.com/2022/03/10/security/code-verify/

[1] https://www.obdev.at/products/littlesnitch/index.html

[hombre_fatal]

1) For ~everyone, the authenticity check for an app is simply whether it exists on an app store. I think the only time I ever checked the signature on software outside the app store is for my bitcoin wallet.

2) Legit trusted applications are already what siphons everyone’s content, not malware. At least in the browser there’s uBlock Origin and even a dev console.

Just some things to keep in mind when comparing the differences.

[Retr0id]

Right, and your device knows it came from the app store because of code signing.

[ramchip]

You have to trust the original developers either way, but the distribution mechanism is much weaker for a web app. The server / hosting platform can be compromised, the code can change at any time and even depend on the client that's connecting, and there's no software signing providing non-repudiation.

Not saying native apps are universally better, but I do think their treat model tends to be a better match for encrypted messaging. This comment on Signal explained it well: https://community.signalusers.org/t/google-to-retire-chrome-...

[realusername]

The signature doesn't mean much on the mobile store though, Apple and Google could modify anything they want, resign it and push a new app.

With the web you have to trust the app developer and with mobile you have to trust the app developer plus Google or Apple on top of that.

Fdroid is maybe the only exception to that.

[ramchip]

> With the web you have to trust the app developer

The linked comment goes into it, but you have to trust the web hosting platform, the CA ecosystem, etc. We're talking not just Apple/Google being able to attack you, but also China, and even some script kiddie with a Node.js exploit.

> with mobile you have to trust the app developer plus Google or Apple on top of that.

The OS/browser vendor can record what you're doing with a web app just as easily as a native app. Thankfully they have very strong incentives not to do so, and can usually be held accountable with code signatures (the non-repudiation part).

[realusername]

There's much much better transparency mechanisms on the CA system than Apple or Google though. While a CA attack is possible and does happen sometimes, the attacker pretty much burns the CA in the process.

For starters, there's not even automated reports of app signatures on mobile and no transparency authority at all.

[eviks]

With web you have to trust the developer on every visit of the website. With mobile you can pin the trust (with some effort) to a single point in time, big positive difference

[realusername]

I'm not aware of any major mobile platform which works like that though, maybe in theory it could be done but in practice it's all powers to the manufacturer which can modify or remove your apps at any time silently.

Unless maybe you are on some things like GrapheneOS and only install apps though fdroid, that's not really a mainstream configuration though.

[eviks]

How can they modify the app on your device silently?

[realusername]

They have system access and can push anything on your device. In the past you could have an actual developer signature on the play store but Google got rid of it, on iOS there's never been any support at all of this kind of security.

Fdroid supports that but you need a modified rom so that the play store cannot interfere with it in any way. To my knowledge, only GrapheneOS does that.

[the8472]

You're extolling the virtues of web apps, but none of your points address the point that it requires centralized components. Which is an important point for something that advertises itself as P2P. Both to serve the application every time you open it and ICE servers for webrtc connection initialization every time you share a file.

A native p2p application needs to be downloaded or built once, from any place (say a git mirror) and bootstrap to its overlay network and then you're in.

[supportengineer]

Who is going to tell them. Your browser is a native app.