The combinations of HTML5 and JavaScript has become a popular solution for developers to build apps and websites. Over the past years this combination has delivered increasing speed and reliability.
A Gartner report found that over 50% of the mobile apps are likely to be based on HTML5 by 2016. One reason for its popularity is HTML5 being largely cross-platform. It allows developers to create apps for various platforms including iOS, Android, Windows, Mac and web applications.
The increasing popularity of JavaScript has been meteoric and is the perfect accompaniment to HTML5. Together, they are fast becoming dominant technologies for designing mobile applications.
This technology stack combination is not without its haters, problems and questions. One such question is…
Do HTML5 apps pose any security threats for developers and businesses?
HTML5 is a web interface technology. Of course, we love it since it easy to develop beautiful interfaces. But from a security point of view it is just as insecure as any other web technology.
The problem is that it will be easy to develop apps with stunning interfaces and advanced functionality that works cross-platform. Too easy maybe, so people will chose this environment without understanding the consequences.
It will be even more important to separate transaction from secure authentication (read multi-factor authentication). And the transaction itself must be protected with encryption schemes outside the browser environment. HTML5 is for interface building, not secure applications or IT systems.
So, in the long run it might even be harder to develop in HTML5 because of all extras you have to add. If you don’t use a backend service for security and communication, like apptimate.io.
Although I agree with the author that the HTML5 web apps can be insecure if you don’t follow best practices around security but I’m not sure how are the risks mentioned in the above article have anything to do with features and functionalities introduced by HTML5 so I think the title is a bit misleading in that sense. XSS attack vectors are possible with JavaScript something that can be pre-dated before the HTML5 era. And PhoneGap isn’t HTML5 - its a hybrid solution to develop mobile applications.