In general, are you safer with one over another? Or it doesn’t matter?
Conditions:
• all websites are with https;
• all apps installed from Google play, auto-updates on, minimum permissions given.
• adblocker on (DNS level)
I’d say that mobile apps are more secure. When installing an update, the OS makes sure the app signature hasn’t changed, while when using a website or PWA, you constantly download unsigned source code, probably from multiple parties, so it’s easier for an adversary to intercept and “pollute” the download. Apps tend to have stronger sandboxing than websites too. And also apps can pin certificates to avoid person in the middle attacks.
If you’re using something like Vanadium or Brave, then PWAs are the way to go. The sandbox of browsers was designed to run a lot of untrusted JavaScript code every day.
I use Brave, yes. PWAs but not regular websites?
Regarding PWAs I read somewhere:
On Android, most browsers don’t “properly” support installing PWAs via WebAPK (only supported browsers currently are Chrome (if you have play services) and Samsung browser (on Samsung phones)).
And there’s recommendation on privacyguides.org/en/basics/common-threats/#privacy-from-service-providers
use native applications over web clients whenever possible.
It’s better to use a PWA if it’s a proper one like Crypt.ee.
That’s only for E2EE services, right?
It applies to everything. Both native apps and PWAs are better than regular websites.
I think there’s two sides to this. My own take is that for security-critical applications where you trust the developer, an app would be better as a trusted state should be easier to verify and maintain if you’re not pulling new code every time you run it. If you’re using something that you don’t trust out of necessity (such as a social network that is the only option to communicate with a group of people), a browser lets you maintain more control with better isolation from your device and extensions that can control what scripts are run and such.
Ignoring PWA’s for a moment, my general rule of thumb is:
- Native if I trust the app/developer.
- Webapp if I don’t. Or if I’m just trying something out.
Aren’t web apps the same as PWAs?
As I understand it: PWAs are Webapps but, Webapps aren’t necessarily PWAs.
(put differently, a Progressive Web App is a specific type of (‘installable’) web application, but not all web applications are PWAs)
E.g. OnePassword’s password generator is a web app, but its not a progressive web app (afaik). I have limited knowledge but two of the characteristics I associate with PWAs are (1) being (optionally) ‘installable’, and (2) the capability (in theory, not always in practice) for offline functionality (crypt.ee).
Given the choice of WhatsApp Web on Brave or the native app from the MacOS App Store, which one would be better? The argument for the native app would be that WhatsApp would handle the End-to-end encryption natively instead of using JavaScript to do so.
I would go with the app.
Security can vary depending on the implementation, but generally speaking:
- Mobile apps (installed from Google Play with auto-updates and minimum permissions) are often more secure because they run in a sandboxed environment and go through store reviews. However, you’re still relying on the app developer and the store’s policies for security.
- Websites (with HTTPS and ad blockers) are also secure, as HTTPS ensures encrypted communication. But websites might be vulnerable to phishing, cookie theft, or malicious third-party scripts if not properly secured.
- PWAs sit somewhere in the middle. They’re served over HTTPS like websites and have added security from features like Service Workers, but they don’t require app store approval for updates. They also benefit from the browser’s sandboxing.
I found an insightful article that goes into detail about PWAs: https://www.cleveroad.com/blog/what-is-a-progressive-web-app/. It explains how PWAs combine some of the best aspects of websites and mobile apps while maintaining a secure environment.
Ultimately, it depends on how well the specific app, site, or PWA is developed and maintained. If you prioritize security, sticking with trusted sources and regularly updating your apps or sites is key.