How private/secure are webapps

dhhdjbd

as far as i understand it, mostly yes,

but the code and more is cached/ saved (-> faster load time),
it can be used offline,
has push notifications,
can update itself.

so i think a pwa can run in the background/ do stuff in the background. (And update itself)

While a website in the browser, usually does not run in the beckground (for extended periods) in vanadium and wont reload itself or something like that.

thats why i think, a pwa has more attack surface then a normal website.

(ofc if you can trust the developers, an signed app is the best, but a maliciouse app can do more harm without using exploits then a website/pwa could. And furthermore i think a website/pwa exploit is much harder/rarer then a app exploit)

NoTimeDaddy

Given general folks low thread model, I conclude that still PWAs are the way to go for most non-FOSS secure/private/trustworthy apps, e.g. Amazon, Reddit, Google Maps, etc., as a good compromise between useability and pricacy/security.

freebsd-user

Vincent96 I do prefer IronFox over Brave

Vincent96

freebsd-user Not sure if you're talking about GrapheneOS or desktop Linux here, I recommend searching the forum to learn about the massive security failures of Firefox based browsers compared to Vanadium and Chromium.

GosGrape

NoTimeDaddy you can install webapps on your homepage same as android apps but they have a little browser icon (vanadium if that's what you are using) to show they are webapps

freebsd-user

Vincent96 IronFox is a hardened Firefox for Android

freebsd-user

Vincent96 IronFox now has content process isolation by default.

idealizebush

Vincent96 Brave does have better content filtering and I've seen people mention before they are considering forking the content filter.

Eumenia

NoTimeDaddy So what is the expert consensus for us normal folks? Better use Vanadium Webapp, the website or the app?

Depends in what the data the APP is holding and if its closed or open source

NoTimeDaddy

Eumenia assuming any closed source.

Vincent96

Eumenia Even if the app is FOSS the sandboxing of Vanadium is a big security increase.

FOSS/open software does not equal safe, well made or secure.

DeletedUser594

NoTimeDaddy So what is the expert consensus for us normal folks? Better use Vanadium Webapp, the website or the app?

https://madaidans-insecurities.github.io/security-privacy-advice.html#email

Consider staying away from web apps, as they can provide weaker security. When a user visits a website in a browser, that website can target that specific user with malicious JavaScript, whereas with a native app, the code is static. Additionally, apps can offer better protection against MITM attacks by pinning TLS certificates and removing the dependency on certificate authorities. This is commonly used in apps like ProtonMail, Signal and so on. However, websites in a browser are much less privileged, as they do not have direct access to system resources. Thus, using a web app could be more secure under certain threat models.

subwoofer

DeletedUser594 I still don't quite get this. If an application provider decided to be malicious they could do a much better job from their app than from their webapp. So is extra risk of using a webapp the possibility that a bad actor could hack into the providers servers and tinker with the webapp code without anyone noticing?

The other thing that crossed my mind is that the above analysis isn't specific to vanadium.

Eumenia

subwoofer I still don't quite get this. If an application provider decided to be malicious they could do a much better job from their app than from their webapp. So is extra risk of using a webapp the possibility that a bad actor could hack into the providers servers and tinker with the webapp code without anyone noticing?

The other thing that crossed my mind is that the above analysis isn't specific to vanadium.

It depends on how sensitive the data inside the app is.
If it's sensitive then it's better to use .apk apps because they are a lot harder to temper with

NoTimeDaddy

Now I am confused. It seems there is no expert consensus yet.

Watermelon

Here's a previous post I wrote that's relevant:
https://discuss.grapheneos.org/d/29413-banking-without-the-play-integrity-api/7

In short: if you want security for the app, use a native app; if you want security from the app, use a PWA/website in Vanadium. (PWAs are just websites with some nicer UI/UX, they're still opened as just websites, they even appear in the browsing history in the web browser.)

If you're a normal person, tend towards security for the app; if you're a high-risk person, tend towards security from the app, to reduce your attack surface.

This is what I think.

« Previous Page