What's better security-wise: Mobile app / Website / PWA

In general, are you safer with one over another? Or it doesn’t matter?
Conditions:
• all websites are with https;
• all apps installed from Google play, auto-updates on, minimum permissions given.
• adblocker on (DNS level)

I’d say that mobile apps are more secure. When installing an update, the OS makes sure the app signature hasn’t changed, while when using a website or PWA, you constantly download unsigned source code, probably from multiple parties, so it’s easier for an adversary to intercept and “pollute” the download. Apps tend to have stronger sandboxing than websites too. And also apps can pin certificates to avoid person in the middle attacks.

1 Like

If you’re using something like Vanadium or Brave, then PWAs are the way to go. The sandbox of browsers was designed to run a lot of untrusted JavaScript code every day.

1 Like

I use Brave, yes. PWAs but not regular websites?

Regarding PWAs I read somewhere:

On Android, most browsers don’t “properly” support installing PWAs via WebAPK (only supported browsers currently are Chrome (if you have play services) and Samsung browser (on Samsung phones)).

And there’s recommendation on privacyguides.org/en/basics/common-threats/#privacy-from-service-providers

use native applications over web clients whenever possible.

It’s better to use a PWA if it’s a proper one like Crypt.ee.

1 Like

That’s only for E2EE services, right?

It applies to everything. Both native apps and PWAs are better than regular websites.

I think there’s two sides to this. My own take is that for security-critical applications where you trust the developer, an app would be better as a trusted state should be easier to verify and maintain if you’re not pulling new code every time you run it. If you’re using something that you don’t trust out of necessity (such as a social network that is the only option to communicate with a group of people), a browser lets you maintain more control with better isolation from your device and extensions that can control what scripts are run and such.

6 Likes

Ignoring PWA’s for a moment, my general rule of thumb is:

  1. Native if I trust the app/developer.
  2. Webapp if I don’t. Or if I’m just trying something out.
2 Likes

Aren’t web apps the same as PWAs?

As I understand it: PWAs are Webapps but, Webapps aren’t necessarily PWAs.

(put differently, a Progressive Web App is a specific type of (‘installable’) web application, but not all web applications are PWAs)

E.g. OnePassword’s password generator is a web app, but its not a progressive web app (afaik). I have limited knowledge but two of the characteristics I associate with PWAs are (1) being (optionally) ‘installable’, and (2) the capability (in theory, not always in practice) for offline functionality (crypt.ee).

Given the choice of WhatsApp Web on Brave or the native app from the MacOS App Store, which one would be better? The argument for the native app would be that WhatsApp would handle the End-to-end encryption natively instead of using JavaScript to do so.

I would go with the app.

1 Like