Browsers are a common method for users to access apps and services. Even heavily mobile-centric apps (such as Instagram) are launching complementary browser versions. If you're thinking of developing a Web app, check out Google's new Chrome App model. Boasting an array of security features, the model will enable developers to build browser apps that have the security and native look and feel of regular desktop apps and deploy them over multiple platforms simultaneously.

Web Apps with Native-like Security

Just like regular Web apps, Chrome Apps are written in HTML5, JavaScript and CSS, which makes them portable across platforms and devices. However, they run very much like regular desktop apps and offer security benefits that were previously unavailable for the Web. Effective against the attacks launched at thousands of users every day, those benefits include the following:

Chrome Apps are sandboxed. This means they run in their own threads, separate from the influences of other websites or apps that may be open on a user's computer. Even if another app or browser tab the user has open is compromised, your own app will remain safer due to the layers of separation offered by Chrome.

They enforce common-sense security policies. Developers are unable to use many of the coding methods that usually cause such security vulnerabilities as cross-site scripting and code injection. (These types of attacks are the most common on the Web, most recently used to exploit eBay's iPhone app.) Chrome App developers are challenged to make sure their code runtime is shielded against active modification by attackers — in other words, they can't be lazy.

They allow users to receive verified app updates. Every time users open regular Web apps, their browsers load the code from scratch. This can be problematic if your Web server is compromised and users are then given malicious code. Developers using Chrome can push automatic updates that are code signed, meaning that the apps themselves will be able to determine the authenticity of an update before securely installing it. For security-critical applications such as banking or encrypted chat, this is key. Even if your servers are compromised, your users will still run a version of your app they know is trustworthy.

Because of these features, even heavily security- and encryption-centric apps are being deployed via Chrome.

Web Apps That Feel and Behave Like Desktop Apps

In addition to having many important security features that aren't available to regular Web apps, Chrome Apps also feel native: they run on Windows as if they're native Windows apps, on Mac as if they're native Mac apps, and so on — even though their code was only written once. This means these apps have the advantage of giving a more natural and integrated experience to users than regular Web apps.

Chrome Apps have access to system-level features. Unlike regular Web apps, Chrome Apps can access system features such as Bluetooth and USB devices, and more efficiently push notifications. This allows developers to integrate new and advanced features using regular Web-app-development practices.

Perhaps most importantly, they feel like apps. They are installed with their own entries in a user's App folder, they launch in their own windows, and they operate independently. They can even open and save files on a user's computer and behave in ways that regular Web apps can only aspire toward.

The Future of App Development

Chrome Apps offer a level of integration that's impossible to achieve with regular Web apps, while granting security benefits that are too valuable to ignore. If you're considering launching a browser app, look into the Chrome App model. Your developers and users will thank you for it, and you will most likely feel a lot better once your app's security audit report comes in.

Photo Source: Flickr

About Nadim Kobeissi

Nadim Kobeissi is a programmer and cryptography researcher whose work focuses on making encryption more accessible to people around the world. Nadim created Cryptocat, one of the world's most popular encrypted chat solutions, and miniLock, a new standard for file encryption. Nadim is a member of the W3C’s web cryptography working group. Currently, he works at Shapeshape, a programming studio based in MontrĂ©al.

Comments (1)

Meph | January 25, 2016 10:02 pm

I'm a little confused by your post.
Isn't chrome the first platform-independent trojan? The ultimate keylogger? From my recollection, a few months ago, there was some bug report on debian alerting users that the open-source version of their browser embedded some strange library able to arbitrarily start your camera or record audio, .... As a general rule: trusting Chrome is a mistake.

I'm not arguing you can't build something secure based on Chrome Apps. Although it seems obvious that wrapping anything into chrome, is the best way to give Google, the NSA, ... all accesses to your data, from the user point of view, before even entering your app.
Did I miss something?

Please Post Your Comments & Reviews

Your email address will not be published. Required fields are marked *

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.