WebApps security

goskm75f

So yesterday I read that Signal does not provide a WebApp for security issues. If WebApps are not secure how is ChromeOS an OS that mainly runs WebApps secure?

DeletedUser87

There is no "secure" or "not secure". To quote the famous Kenobi: "Only a Sith deals in absolutes".
That means: there's varying degrees of security. ChromeOS is considered as "secure" compared to other desktop operating systems, because it limits the control over the system itself, reducing attack surface in the process. WebApps are less secure because they have to load code from the server on every startup that can potentially be tampered with. A regular (desktop) app is verifiable, a WebApp is not. So for a service like Signal, that has to offer the most security possible, it's more reasonable to exclude unsafe methods to reduce attack surface.

goskm75f

So what would be considered more secure, running an app through a webapp on chromeos or running it as an app on windows?

DeletedUser87

goskm75f what a weird question. There is no conclusive answer for that - it all depends on the attack vector. It's probably easier to inject malicious code through a browser than to tamper with a Windows system (however unsafe Windows might be).

wuseman

goskm75f Windows has zero sandboxing. I would take a web app over that any day.