Native vs HTML5 security: is there a third way for app development?

Phone app
Watertight security doesn't have to be a problem with your app

"We need a mobile app." Those five words seem to reach a decision, but in fact they're the beginning of a whole raft of choices. Making sure that you are providing a mobile-accessible service is increasingly of critical importance. Whether you're providing tools for business, or have an idea that could be the next Tinder, there are big decisions to be made.

For example, will it be available on either iOS or Android, or both? Will you consider Windows phone? Will it be paid-for or free, or maybe freemium?

But one of the first decisions that needs to be made, before a single line of code is written, is which of the two main ways to deploy the app to use – a native app, or an HTML5-based mobile web app.

Neither seems to be 'winning' the debate – both have their advantages and many big organisations employ both. Google has both a native Gmail app installed as default in every Android phone, and a mobile web version of its email system that's almost as slick. Big news organisations such as the BBC and CNN have iOS and Android apps available, and their stories are available on their responsive websites that detect if you're browsing by mobile.

Security issues

One area where it gets tricky is when high levels of security are required. Any app that has any kind of sensitive data should have high security, whether that's dealing with a customer's financial data, an employee's remote desktop, or a potentially embarrassing dating profile.

Currently, the choice for these applications is obvious, if you need more than a simple password – you have to go native. If you want to implement two-factor authentication, then mobile web apps require hardware or software-based one-time passwords. Logging in then becomes a hassle – users are required to copy and paste codes from other applications or carry around tokens in order to identify themselves. This hampers adoption – a problem in an already-crowded marketplace. Native apps, on the other hand, can use the device itself to aid security.

HTML5 boons

Despite the issues around security, there are other advantages to HTML5-based mobile web apps that can make it a more attractive development platform. Developing one app that can be accessed via a browser on any device cuts down on costs and time to market. Updates can be rolled out silently, rather than through the app store, which makes fixing bugs and updating the user interface far more efficient.

There can also be accessibility advantages, as many calculations can be done remotely rather than on the device – the owner of a couple-of-generations-old iPhone can enjoy the same experience as the owner of the newest Android device. But these advantages are off limits to any app developer who also needs strong, hassle-free security.

It is also far from simple to switch strategy from native to mobile web – or vice versa – several years down the line. Much of your coding time would have to be considered sunk costs and the application rebuilt from the ground up to make sure it is optimised for the new platform. Plus – as is obvious every time Facebook or Twitter makes a UI change – people can get very upset at very small changes to their apps. Every change risks losing a chunk of your users.

So do you deploy a native app with a slick, secure login process, or do you go down the HTML5 route and face another dilemma – inferior authentication that leaves your users vulnerable, or burdensome authentication that leaves them irritated, and heading to your competitors.

Hybrid apps

The solution lies in a nifty mixture of native and mobile web apps – 'hybrid apps'. A hybrid app is a native app wrapper containing a browser dedicated to accessing a single mobile web app. The user experience is of accessing a mobile web app, but through a downloaded app rather than a browser shortcut. The native app wrapper is where authentication takes place, barely noticeable to the user, so innovative multi-factor methods that use the device itself as an authentication factor can be used, rather than a token.

"We need a mobile app" may be only five words, but they throw up a raft of questions that require important decisions. The good news is that high security that isn't a barrier to adoption doesn't require a choice. It's available whether the choice is native or HTML5.

  • Thomas Bostrom Jorgensen is CEO of Encap Security.