Friday, November 25, 2016

Native apps can't be trusted

The one thing the web has gotten right to some extent (thanks to the beauty of REST/HTTP) at least compared to desktop and native apps, is how it can uniformly show users if they are using a secure connection to a trusted source. The browser does this by clearly and consistently giving various hints (see Fig 1 and Fig 2 below):

Fig 1. Firefox indicating that you are securely connected to GitHub.

Fig 2. Chrome indicating that you are securely connected to GitHub.

There is no reliable, trustworthy and consistent way for non-technical users to do this on desktop and native apps.

This is how you add funds to your Paytm wallet from within the Uber app (see Fig 3 below):

Fig 3. Page to add funds to your Paytm wallet from within the Uber app.


Notice the following in Fig 3:
  1. Since I opened this from within the Uber app and this "page" is running "inside" the Uber app, I have no way to verify if what I'm seeing is in fact a page severed by Paytm or a spoofed page that Uber is presenting to me.
  2. Even if I were to trust Uber here, there is no way for me to tell if this is happening over a secure connection.
  3. Say I'm willing to accept that this is in fact a page served securely by Paytm, I have no way to know if Uber has injected their own code to intercept everything I enter on that page.
  4. And now the really ridiculous bits (circled in red in Fig 3 above): The text that reads "Your payment details are secured via 128 Bit encryption by Verisign" and the various logos that are displayed at the bottom of the page are something I have to take at face value. These are also app-specific and not consistent.
Also, note that I (as a non-technical end-user) have no way of knowing if all communication the Uber app is doing with it's servers is over a secure channel. I just have to "trust" that they are doing the right thing. Of course, as a technical user I could intercept the traffic on my phone and see how it's been sent, but that is exactly the point: You have to jump through a lot of hoops to "verify" what is happening.   

The current state of affairs for security on native apps is absolutely ridiculous and it's crazy that we all put up with it.

Full Disclosure: I work at Zeta (at the time of writing this blog post), but the views expressed here are my own and not of my employer.

What native apps get wrong over web apps

  1. They need to be installed. This in itself is a big drawback.
  2. They need to be separately developed for each target platform. Unlike the desktop app days where Windows was almost ubiquitous, with mobile you have to support 2 platforms.
  3. They can get outdated if users don't upgrade. We are doomed to repeat the same mistakes we made with desktop apps.
  4. Deployment is blocked on a black box not in your control (aka the app store approval process). Kiss continuous deployment goodbye.
  5. They have no trustworthy way to indicate to users that secure channels are being used to communicate secure information (unlike the address bar in web apps that clearly shows if the connection is secure and to the right place). If you think about it, there is a beauty to REST/HTTP that makes this possible.
  6. Each app needs to reinvent the wheel and ship infra that could have been shared, e.g., local data store, caching, etc.