How private/secure are webapps

subwoofer

A few of the apps that I've been struggling to get completely working have very good, very nice webapp alternatives.
From my basic understanding, it seems that a webapp running in vanadium should be more private and secure than its equivalent app. Am I right or have I missed something?

Vincent96

subwoofer Yes, because webapps have additional sandboxing via the browser, assuming you're using Vanadium which is developed by the GrapheneOS team.

Eumenia

subwoofer The security of webapps depends on the point of view:
Webapps are less likely to gain any severe access to the operating system.
But webapps are less secure to handle sensitive data because their code is unsigned and they will therefore execute any code their domain tells them to.
Also it's harder verify webapps because it's seems like their is now way to for example check their hash.

NoTimeDaddy

I am also interested in this. And, does it matter if it is Vanadium or Brave WebApps?

Vincent96

NoTimeDaddy Yes, it matters. Vanadium is a very secure browser developed by the GrapheneOS team, and Brave is a crypto AI browser with built-in ADs.

https://github.com/GrapheneOS/Vanadium

freebsd-user

Vincent96 I do prefer IronFox over Brave

idealizebush

Vincent96 Brave does have better content filtering and I've seen people mention before they are considering forking the content filter.

NoTimeDaddy

What is a cryptobrowser? And what is ADs?
Braves Add Block is superior to Vanadium, that was my primary reason

gristle-cause

I think it depends rn. Vanadium is a very good browser. It is not yet the best singular solution for all use cases. For example, I do not believe GOS would recommend Vanadium to replace Tor or Mulvad browsers in cases where privacy through anonymity is needed

Vanadium is secure as hell. I use it as my daily driver, applications with a security implication, and situations where I have already been directly de-anonymized.

I do not think Vanadium has much anti fingerprinting built in yet, and the user base isnt yet large enough to obfuscate it's signature end masse. But if some level of privacy is needed to a greater extent & security is a lesser concern for a particular case, Brave may be a strong middle ground

Brave & other browsers will add massive attack surface to GOS. Vanadium is installed by default, and it known to be trusted. That's probably the strongest case for keeping the default browser for all use cases

I would consider Vanadium to be stronger and more secure than installing third-party apps for services that support browser. At a bare minimum, it's less attack surface. You can also be sure that Vanadium itself isn't collecting telemetry, as many apps do

NoTimeDaddy Braves Add Block is superior to Vanadium

Browser-level adblock on a mobile device is an odd requirement. I'd recommend looking into something closer to the network level, like rethinkDNS or NextDNS

GosGrape

Eumenia thanks, presumably your concern is that someone could hack into the providers servers and change the webapp code for something toxic? I would think though that if someone has broken in this far they could cause more mischief than tinkering with the webapp?

Ironically its apps that I'm struggling to obtain a verification hash which have led me to use their webapp alternative

tux_

Yes, the lack of ad blocking is currently the biggest downside of Vanadium. I wish the devs found a way to support uBlock Origin at least. As an alternative, I block ads at the DNS level (I run my own server), and use NewPipe for YT. This gets me most of the way to ad-free browsing, but does not remove all empty ad frames in webpages, a minor inconvenience.

de0u

tux_ Yes, the lack of ad blocking is currently the biggest downside of Vanadium. I wish the devs found a way to support uBlock Origin at least.

Based on the Wikipedia article, this seems somewhat unlikely. I doubt that the GrapheneOS team will port Firefox-only API implementations to Vanadium and/or restore and then maintain Manifest V2. I see that Microsoft is doing that in Edge, but Microsoft has a lot more developer resources than the GrapheneOS project.

Eumenia

GosGrape Ironically its apps that I'm struggling to obtain a verification hash which have led me to use their webapp alternative

Is the name of the app "verification hash" or isn't the verification hash for the app available?

GosGrape thanks, presumably your concern is that someone could hack into the providers servers and change the webapp code for something toxic? I would think though that if someone has broken in this far they could cause more mischief than tinkering with the webapp?

A website/domain normally has a lot less security then app signing keys.
Especially when you out the app signing keys on something like a hardware wallet.
In additions to this domains (that aren't .onion) could also be attacked from the DNS (if they get hacked or act malicious) and maybe the local network (if it's insecure)

NoTimeDaddy

So what is the expert consensus for us normal folks? Better use Vanadium Webapp, the website or the app?

Vincent96

NoTimeDaddy Vanadium web app if possible.

Eumenia

NoTimeDaddy So what is the expert consensus for us normal folks? Better use Vanadium Webapp, the website or the app?

Depends in what the data the APP is holding and if its closed or open source

KCne

NoTimeDaddy So what is the expert consensus for us normal folks? Better use Vanadium Webapp, the website or the app?

https://madaidans-insecurities.github.io/security-privacy-advice.html#email

Consider staying away from web apps, as they can provide weaker security. When a user visits a website in a browser, that website can target that specific user with malicious JavaScript, whereas with a native app, the code is static. Additionally, apps can offer better protection against MITM attacks by pinning TLS certificates and removing the dependency on certificate authorities. This is commonly used in apps like ProtonMail, Signal and so on. However, websites in a browser are much less privileged, as they do not have direct access to system resources. Thus, using a web app could be more secure under certain threat models.

NoTimeDaddy

Vincent96 thank you Vincent. Privacy and Security wise, why is a Vanadium Webapp better than opening the website in Vanadium?

Vincent96

NoTimeDaddy You're welcome.

I said web app over browser because it's more convenient to touch the icon and be taken straight to whatever website you installed instead of searching for it manually in Vanadium. See this post: treequell

GosGrape

NoTimeDaddy you can install webapps on your homepage same as android apps but they have a little browser icon (vanadium if that's what you are using) to show they are webapps

NoTimeDaddy

So purely convenience, not safety or privacy

Vincent96

NoTimeDaddy Between those 2 options, yes, unless someone knows of any difference between these.

NoTimeDaddy

Vincent96 Thank you! Now all my questions are answered.

I will use web apps instead of apps and websites where possible.

dhhdjbd

Is there any relevant difference between a PWA and a Website?

edit:
after a quick lookup it should be
website < PWA < app

for attack surface

Vincent96

dhhdjbd a PWA is just a web app, normally with a better for mobile, right?

dhhdjbd

Vincent96

as far as i understand it, mostly yes,

but the code and more is cached/ saved (-> faster load time),
it can be used offline,
has push notifications,
can update itself.

so i think a pwa can run in the background/ do stuff in the background. (And update itself)

While a website in the browser, usually does not run in the beckground (for extended periods) in vanadium and wont reload itself or something like that.

thats why i think, a pwa has more attack surface then a normal website.

(ofc if you can trust the developers, an signed app is the best, but a maliciouse app can do more harm without using exploits then a website/pwa could. And furthermore i think a website/pwa exploit is much harder/rarer then a app exploit)