We have put a lot of thought in to making the app as secure as possible, but would definitely like feedback on how it could be more secure. Is there anything in particular about browser apps that you find make them insecure?

The way the app works is that it spins up what can be conceptually thought of as an ultra light node that communicates with your node via the lightning network itself. This means that it uses the lightning transport protocol (NOISE) which is fully end to end encrypted. When the app connects to your node, it actually shows up as a regular peer but with feature bits all set to zeros.

All credentials like your rune and node connection address can be encrypted with a pin, so that they are encrypted when stored in local storage and only decrypted in memory after pin entry.

We also assign the app a persistent public key which means that you can restrict your Rune to only work with this "session" in the app. Simply reset the app and now that rune can no longer be used even if someone else has got access to it as they would need to corresponding private key that only the app had.

You can check out the docs for more detailed info and if you have any other questions, drop them here or in our discord.