Web browser is a sandbox by default. Worst a sketchy site does is eat a tab, less if you run an adblocker. Native app? Background processes, hardware ID shenanigans, your contacts, location. The whole buffet.
Web browser is a sandbox by default. Worst a sketchy site does is eat a tab, less if you run an adblocker. Native app? Background processes, hardware ID shenanigans, your contacts, location. The whole buffet.
> Web browser is a sandbox by default.
So I take this is a security concern. How do you feel about the fact that when you open a webapp in your browser, you re-download that app code every time? That the server can send you a backdoor every single time, made just for you, and nobody else will ever know? And that you can't check the "hash" of the webapp, like you can with an app?
On the other hand, an app is sandboxed, too (on mobile OSes like Android and iOS). When you download it, you can check a hash that you can (if you want to) compare with a friend to see if they got the same app. With an app, there is intermediary (the "app store") that would need to collude with the developers to send a backdoor just for you, and even then you would still have the app binary as proof.
That's always a question I have with "secure" web services: if you use ProtonMail, you trust that Proton doesn't send you a web page that leaks your key. But if you trust Proton for that, what's the point of the end-to-end encryption? When you use the Signal app, the whole idea is that you don't have to trust Signal for the end-to-end encryption, at all.
Apps can download code too, and often do
Well the idea is that the client should be open source, and audited.
If you run a proprietary app, you have to blindly trust it (just like if you access a webapp).
In terms of security, the best is an open source app, IMO.
> And that you can't check the "hash" of the webapp, like you can with an app?
Can someone reading this make an addon for this?
Meta and Cloudflare did something like that for WhatsApp Web, there is a nice blog post about it here: https://blog.cloudflare.com/key-transparency/
Now it only ensures that Cloudflare doesn't tamper with the WhatsApp Web code they serve, you still have to trust Meta.
I feel like reaching the same level as "checking the hash for the app" would be very hard in practice. I.e. the web is not built around doing that. Your extension would have to scan all the files you download when you reach a page, somehow make a hash of it, somehow compare it to... something, but then make the difference between "tampered with" and "just a normal update".
Also you just can't "download the sources, audit them and compile them yourself" with a webapp. If you do that, it's just "an app built with web tech", like Electron, I guess?
>That the server can send you a backdoor every single time, made just for you, and nobody else will ever know?
There is no "backdoor" when the browser is sandboxed. "backdoor" is a specific thing, I think you need to read up on it before you keep using it incorrectly:
https://en.wikipedia.org/wiki/Backdoor_(computing)
>On the other hand, an app is sandboxed, too (on mobile OSes like Android and iOS). When you download it, you can check a hash that you can (if you want to) compare with a friend to see if they got the same app.
That isn't what "sandboxed" means, it has nothing to do with checking hashes. And no, mobile apps are not really sandboxed, they have full access to your mobile device once you install it and give it access - and let's be real, most people are just going to blindly click "allow" for anything the app requests after installing an app.
>With an app, there is intermediary (the "app store") that would need to collude with the developers to send a backdoor just for you, and even then you would still have the app binary as proof.
You keep referring to "backdoor", and I don't think you really know what that means.
>That's always a question I have with "secure" web services: if you use ProtonMail, you trust that Proton doesn't send you a web page that leaks your key. But if you trust Proton for that, what's the point of the end-to-end encryption? When you use the Signal app, the whole idea is that you don't have to trust Signal for the end-to-end encryption, at all.
That isn't how any of this works. The main value proposition of Signal is that we do trust its end-to-end encryption. Protonmail sending a "web page" that "leaks your key"? WTF?
It's obvious what GP meant - we can verify that the apps we download are the apps everyone else downloads.
We can't do this with Proton where our mail is supposedly end-to-end encrypted. They can easily view our mail if they can send us a different code when we load their site.
> That isn't what "sandboxed" means, it has nothing to do with checking hashes. And no, mobile apps are not really sandboxed
Apps ARE somewhat sandboxes and GP didn't mean than sandboxing == checking hashes. It was 2 sentences appearing one after the other.
You cannot. An app can update just like a browser tab. In fact, a very many apps are just frickin' webviews.
Well, you can verify that the code that you downloaded is the same that everyone else downloaded. Even if it contains webviews.
Now if it contains webviews, it brings the security issue of... the webapps, of course.
Personally, I want an open source app. You can audit an open source app and even compile it yourself. You can't really do that with a website. And I don't mean just mobile apps, that applies to desktop apps, too. I wouldn't run a web-based terminal, for instance (do people actually do that?).
AlBugdy and the person you are replying to are literally right re: server delivered backdoors. Using E2EE applications in a browser moves the trust back from the client to the server.
https://news.ycombinator.com/item?id=47664103
> That isn't how any of this works. The main value proposition of Signal is that we do trust its end-to-end encryption. Protonmail sending a "web page" that "leaks your key"? WTF?
Yes and it's that you also trust the client, with a server that dynamically delivers code you have no way of knowing fully what payload it's sending you. An example of this vulnerability was discussed when it was pointed out that 1P, Bitwarden and others were susceptible to server side backdoors if used from the web in that research study that came out last month that was posted here.
> And no, mobile apps are not really sandboxed, they have full access to your mobile device once you install it and give it access - and let's be real, most people are just going to blindly click "allow" for anything the app requests after installing an app.
This is genuinely just not true, even if you click allow for all permissions on Android and iOS. An application on a non-rooted device doesn't have "full access."
Dude, I was here to talk about security, not to be judged on the quality of my English. What I get from your take is that your English is better than mine, but not your security knowledge.
> That isn't what "sandboxed" means, it has nothing to do with checking hashes.
I didn't say it had anything to do with it. I meant that NOT ONLY it is sandboxed, but ON TOP OF THAT you can check that you received the same code.
> You keep referring to "backdoor", and I don't think you really know what that means.
The only explanation I see for you not understanding what I mean by "backdoor" for the end-to-end encryption is that you have no idea how it works. If you're just being condescending about my language, go for it. Tell me I can't speak your language. But don't tell me I don't understand security, you have absolutely no idea what I know.
> Protonmail sending a "web page" that "leaks your key"? WTF?
You obviously don't understand how it works if this surprises you. I would gladly elaborate with anyone who is not a jerk, but that does not seem to be the case here.
bias disclosure: i used to do Android dev and kinda hate the browser personally.
i don’t get this take. “Web browser is sandbox by default”. sure, it has to do the rail grind with a rake to access system calls, but in a modern system apps are also sandboxed, especially on a smartphone or when downloaded with a managed app service. the OS gives you the ability to specify permissions, although to what degree depends on your provider. your browser _obviously_ also has the permissions you’re talking about. and now we have introduced yet more vectors in the form of cookies where web _applications_ can track activity _between applications_ with that just kinda being part of the spec, and it totally neuters the protections that the OS gives you because once you configure Firefox to get your location for Open Maps, now you’ve totally given control to your location permissions for _all web apps_ to yet another corporate driven point of failure.
don’t even get me started on the UI mess.
my tinfoil hat theory is that the browser is pushed by mostly bad actors trying to get data, while anyone providing a real user experience has a nice native app.
press F for my reputation.
Good night, sweet reputation and flights of angels sing thee to thy rest.
Seriously though, I appreciate this perspective. While I prefer using a browser whenever possible, I'm well aware of modern fingerprinting techniques. But I didn't know about permission "sharing" between apps in the same browser. Thanks!
Privacy and security have always been a game of cat and mouse. Doesn't seem like that's going to change anytime soon.
> your contacts, location. The whole buffet.
It's not like an app is getting those without your knowledge, and many times it's useful for an app to have your contacts or location...
The weather app I used sent location data from pretty much everyone who didn't manually go through the effort to opt out to some shady American data broker that got hacked. Most people using the app gave it location permissions because of its ability to warn for rain coming to your precise location with decent accuracy.
Nobody wanted to share their location with these data brokers, but thanks to underfunded privacy watchdogs, you have no idea what happens to any app that you give any kind of permission.
I'd argue it's absolutely ludicrous to give _other people's information_ up to an app (or website). Your contacts contain names, phone numbers, potentially photos and addresses of _other people_.
One of the most enraging things about life since 2005-ish is that no matter how private and careful I am, it doesn't even matter because every other inconsiderate fool I know and interact with will HAPPILY let some random company have access to THEIR contacts--which includes me--in order to play Farmville for a month until they get bored of that and offer up my private information to the next bullshit ad company that asks for their contacts.
It used to frustrate me that people didn't care about their own privacy, because I genuinely didn't want evil people to hurt them. But, it's even more angering that people don't have the common decency to consider whether their friends and family would want them sharing their phone numbers, email addresses, photos of them, etc.
Famously, that's how shadow profiles got created for Facebook and LinkedIn and many others.
Or add your real name to photos of you stored in Google Photos.
But most of the time it’s really, really not.
Almost never is it useful for an app to have my contacts or location.
That said only on some platforms is it possible to stop a native app from getting them.
Android and iOS both require user permission for apps to access contacts or location.
Are there other platforms that can't even manage this basic level of user protection?
Not a single platform require permission from each individual contact in your adress book to access them and that is the real problem.
GrapheneOS allows for this. It's called Contacts Scope.
Not really it asks the user of the device, not the individual contacts whose PII data could be treated by third parties tb hey never gave consent to.
As long as the application is made aware of the permissions and can prevent functioning when they get denied, that doesn't really help much. It's the choice between getting mugged or never leaving the house.
The ability to deny permissions without the app noticing or filling it with fake data doesn't exist on either system.
Yes, Windows.
Not without my knowledge or your knowledge sure. But I'd bet there's significant percentage of the population who is tired of thinking about permission popups and just hit yes yes YES to get the App started. Especially if it forces retries before going forward.
I think they're counting on these popups wearing people out.
After GDPR made these incessant annoying cookie popups mandatory, I just robotically click any button to dismiss it as fast as possible. Some website could probably write "Give root access" in that box and I'd probably click it without thinking.
Apps have to request your permission for contacts and location. iOS is really good about not giving bad permissions to apps without user being asked for consent.
Location can also be extracted by JS on a website with these geo functions, IIRC?
Requires permission.
so does an app
Exactly. The only app-specific abuse I can think of is apps that wake in the background (Apple said this isn't the case, but it is), Android where apps get push by default, or apps that just hope the user will grant broad permissions that web can't do.
I think it's more than that. It's a walled garden. If you want to leave go somewhere else, it's further away than just a tab. That increases stickiness.
For example, let's say I'm an airline. I don't want you in the browser, where you're going to have my competitors in the adjacent tabs. I want you in my app, where all you see is my version of the world. (I mean, yes, you can have multiple apps open, too, and switch between them. It's still a bit more friction than moving between tabs. Or maybe that's just my mental model, and young people see apps as just another kind of tab?)
Using flatpaks or mobile apps, you can view the sandbox permissions and adjust them if you have to.
Web browsers all support those facilities, with less obvious transparency and control than iOS and Android apps