With the apple censorship wrt to Damus, mutiny's promotion of their PWA... what would be the arguments AGAINST a PWA? E.g. is it safe to let your browser interact with your private keys? Can a PWA do anything a regular app can do? Any other concerns?
ELI5 please :)
web apps are fine if you use them in a sandboxed environment https://f-droid.org/en/packages/com.tobykurien.webapps/
and when encrypted at rest (when you switch to another app even if it can be made that way)
What is not so much okay, is when you're executing in the same environment as this: https://www.cvedetails.com/vulnerability-list/vendor_id-1224/product_id-15031/opec-1/Google-Chrome.html
I'd prefer even if you didn't use the same device as something that has spyware such as this: https://www.shopify.com/enterprise/cross-device-ad-targeting
but I know there's only so much you can ask of the normie. Best practice in my view, would be to have a channel with a more secure device that funds the less secure device (in person, not automatically) when you're ready to spend.
But android with all the google spyware can do a decent job of sandboxing (even if you have to create a work profile for your sandboxed app), I don't know much about Apple though.
Sometimes that just means there aren't many security researchers looking at the code though.
No it is not safe to let a browser touch your private keys! Ever!
The good news is that they don't need to. They can simply send a message to be signed.
For Nostr this is defined in NIP-46 and a number of signing apps are in development. Your Nostr PWA just needs a 'sign in' button, you can then choose (using a trusted app) which acount to log in with, and what permissions to grant.
Is this what getalby does?
Or it would be more like an offline ledger type of device to sign messages for your pwa? Like something I saw Ben Arc do recently in a nostrica session?
browser extensions don't really work on mobile
it could be offline, or a server such as nsecbunker, but it could also be a native app (such as damus or amethyst)
the developers just need to find time to add NIP-46 support!
browser extensions don't really work on mobile
they do though, check out kiwi browser for android
did you try it?
getalby didn't work on kiwi for me
it works for me
interesting, thanks for sharing
which phone / operating system was it?
i tried on pixel 7 with graphene
Main argument against is that it's a lot harder to do well.
E.g. is it safe to let your browser interact with your private keys?
Interact is kind of vague. Generally the browser is a less secure environment than a mobile app, e.g. xss is real and very difficult to 100% mitigate.
the map isn't as accurate as native apps.
Can a PWA do anything a regular app can do?
But for the vast majority of apps that simply process generic data on the cloud, for example something like Uber, WhatsApp, etc, there's basically no difference between PWA and a native app. Actually many natives apps are simply a web view on a native wrapper. Note that you can even use a PWA offline after the initial download, if coded correctly.
But, if you start doing more interesting things like accessing the sensors, video processing, etc, then a PWA is more limited compared to a native app. The web view is just an extra layer that makes things a bit slower, and also there is some security added that doesn't allow access to some stuff.
For like 1% of the apps, you require it to be native for good results.
The problem is quite simple: you lose access to a huge audience.
All iPhone owners go directly to the App Store to search for an application. All Android owners go directly to the Google Play Store to search for an application. Open application stores have never been able to reach a sufficient level to represent a viable alternative to the Play Store on Android.
By only using a Progressive Web App, or by distributing your application outside the centralized Apple and Google circuits, you keep the power, but you'll have to do a huge amount of promotional work to hope for a similar audience.
However, you have to start sometime, just as Bitcoin started sometime and saw its market cap grow over time.
We need to start pulling apps out of these centralized stores to take all this power out of the hands of Google and Apple.
That's what decentralization is all about, but I think a lot of players will refuse to make the necessary initial efforts.
Why do I say this? Every time people from the cryptocurrency world are banned by YouTube, they cry foul and ask for help. They criticize Google for decentralization and start looking for alternative solutions. And then, as soon as Google gives them back access to their YouTube channel, these people start feeding YouTube again and become addicted.
When you tell these people that they need to move towards decentralized solutions, they tell you it's impossible, because these solutions are not financially sustainable... That's how Google and Apple keep baiting them.
At some point, you have to make an effort. Otherwise, these centralized giants will always retain their power!
Perfectly said
It is as easy for Apple to censor PWAs on their platforms as it is for them to censor native apps. If any particular PWA gets popular on iOS because it could not get into the App Store, I will not be surprised if users end up seeing a message like this on their device the next time they try to open it:
This app violates the distribution policy for iPhone which can be read here [link to App Store distribution policy]. It has been removed from your device for your safety and security.
I am curious, what kind of PWA in your experience resulted in this message in removal? I don't have an IOS device but I know people who have one and would like to try myself.
I have never seen such a message, I made it up as an example of something iOS can display if Apple decides they don't want you using a particular PWA
This goes into browser war territory and anti trust laws.
Also, not as easy. They remove apps at their permissioned store level. What you're talking about is end device website blocking. Other web browsers on Apple exists.
I wonder if Apple was ever sued for antitrust violations before
It seems to me that they could easily convince most judges to side with them. If a developer violates Apple's application policies Apple is under no obligation to let them use their platform to distribute noncompliant software
There's no distribution here. It is accessing a web page.
I do not think the mode of access has any bearing on whether Apple may prohibit it on their operating system
You may think that but it's yet to ever be seen.
I’m not convinced everyone even knows what a progressive web app is. I suggest folks do some research to get a better grasp (just like every topic related to Bitcoin :) )
To be honest, the first time I heard of it was on SN
𝐇𝗼𝐰𝐝𝐲 𝐝𝗼 ? 🀠 πŸ‘‹
Apps may be better for circumstances where an app may need to store sensitive info securely. For example, the hardware-backed keystore manages the decryption keys for encrypted app data. A PWA cannot interface to it and cannot store data there. I wouldn't trust putting any private keys in a web browser because of the reliance of servers.
Individual apps can also control permissions better than PWA's, as the permissions for the PWAs are given in browser while an app is OS-wide and independent.
I have not seen enough discussion regarding supply chain attacks regarding WPA vs native apps.
On android (and I would be surprised if that's not the case on iOS too), apps are signed by its developers before being upload on the store. Developers with good opsec keep that signing key secured, and get it out only for signing releases.
Meanwhile, online PWA are hot-loaded directly from the server every time you open them, just like a website.
If I was a attacker wishing to hack into the distribution of a wallet app to rug its users, I would definitely have a look into WPA servers, for the simple intuition that I've seen way more websites - including popular companies - getting hacked than app distribution pipelines.
Unless I see good reasons to not fear the larger, faster and more accessible supply chain attack surface WPA have, I'm unlikely to ever trust them with anything sensitive.