• Skip to primary navigation
  • Skip to main content
  • Skip to footer

David Bressler

B2B Go-to-Market Storytelling

  • Blog
  • Bio
  • Subscribe
  • Buy my Book

4 Reasons a native mobile app can be more secure than a mobile browser based app

March 8, 2016

I had the plea­sure of shar­ing an office with a co-work­er that I don’t see as often as I’d like. Hav­ing just come back from some inter­est­ing con­ver­sa­tions with a smart cus­tomer, he seemed in the mood to talk. I asked a few ques­tions to goad him into start­ing, but most­ly he talked and I typed. Any­thing below that’s smart is his. Any­thing that’s mal­formed, is my inter­pre­ta­tion of what he said.

Here you go: Four rea­sons why a native mobile app can be more secure, with a bonus dis­cus­sion on how more secure means you can do bet­ter busi­ness as a result of ‘dig­i­tal trans­for­ma­tion’.

  1. It’s eas­i­er to use mul­ti-fac­tor authen­ti­ca­tion in an app. The app itself is a chan­nel for deliv­ery of a PIN, but if they’re on an app they also have a phone num­ber right there. Mul­ti-fac­tor authen­ti­ca­tion is so easy as a user and adds A LOT of addi­tion­al secu­ri­ty. A win-win if there ever was.
  2. Cer­tifi­cate pin­ning. An app can have an embed­ded cer­tifi­cate, bet­ter than a brows­er for pre­vent­ing man-in-the-mid­dle attacks.
  3. Fine-grained risk eval­u­a­tion. (This is my favorite.) API calls can have their risk-expo­sure be eval­u­at­ed on a “what are you doing basis” (GET vs POST) rather than on a giv­en URL. Fine grained autho­riza­tion and risk checks  are hard­er to do in a brows­er with a URL scheme. You’d have to code it in the appli­ca­tion (and in each-and-every appli­ca­tion). When it’s API dri­ven, you can do the risk assess­ment in the infra­struc­ture. In the infra­struc­ture it has a low­er cost of own­er­ship, and the “secu­ri­ty experts” can do their job with­out break­ing open code and man­ag­ing the “appli­ca­tion” life­cy­cle.
  4. Key­chain con­ve­nience. (I did­n’t ful­ly under­stand this one, but felt I was wear­ing out my ques­tion and answer time.) The stuff that we’re (CA) doing in the Mobile API Gate­way allows uncom­pro­mised secu­ri­ty with con­ve­nience. In the brows­er, secu­ri­ty is a trade off with con­ve­nience. In a mobile app, it’s not. You can use your thumb for con­ve­nient authen­ti­ca­tion but still ben­e­fit from mutu­al SSL authen­ti­ca­tion (because it can be stored in the app).

Wait, there’s more!

Not only do mobile apps make mobile com­put­ing (which is real­ly just ‘com­put­ing’) more secure, it makes your web com­put­ing more secure. With an app, you can use two fac­tor authen­ti­ca­tion on the web more eas­i­ly. Using the phone as a way to require some­thing the user knows (their pass­word) AND some­thing they have. While you don’t need an app to do this, it becomes eas­i­er with an app.

By the way, my bank has imple­ment­ed 2‑factor authen­ti­ca­tion for online-bank­ing when the brows­er isn’t rec­og­nized. I love it (would love it more if they did it every time I logged in but only if they short­ed the cur­rent code length of 8 or 9 dig­its which is too hard to type in). I no longer get all stressed out that I’m going to for­get who I told them my favorite teacher was in sec­ond grade or who my favorite author is.

Imag­ine this at an ATM. Elim­i­nate “shoul­der surf­ing” for peo­ple’s PINs by sim­ply hav­ing two-fac­tor authen­ti­ca­tion at the ATM through the mobile app. By the way, this would be anoth­er rea­son for peo­ple to down­load your app… which means (as a bank) you can start to con­vert hold­outs who come to your branch­es for every­thing to peo­ple who might try some of the mobile bank­ing ser­vices (and low­er costs).

Talk­ing about low­er­ing costs… when some­one for­gets their ATM, cred­it, or deb­it PINs they’re reset by peo­ple. In a call cen­ter or at the branch.

What if reset­ting a PIN could be done through the app?

Bam­mo. Offload the call cen­ter, and peo­ple are hap­pi­er because they don’t have to deal with over­worked & unhap­py call cen­ter or branch work­ers.

(I know the end of this post does­n’t read so well… that’s why I don’t usu­al­ly write in the after­noon. Want­ed to get this done. Email me if I can offer more clar­i­ty.)

—Updat­ed 3/10/16

Got some good feed­back on the post. One in par­tic­u­lar point­ed out that it’s not real­ly about mobile app vs brows­er as it is API-dri­ven app vs ses­sion-based ones. Using APIs to cre­ate your apps enables you to make them more secure than oth­er­wise. While I am at the depth of my tech­ni­cal lan­guage at that point, I do believe this is an impor­tant clar­i­fi­ca­tion that helps make the above more under­stand­able if you are tech­ni­cal.

In fact, I think under­stand­ing the dif­fer­ent of AP-based vs non-API-based is a bet­ter way of explain­ing my bias towards the expe­ri­ence of native appli­ca­tions, though I would not have explained it that way with­out expo­sure to the smart peo­ple at CA.

Related

Filed Under: API, CA

David

If you like this post, you'll absolutely LOVE my book: 'The Elephant in the Room has a Paycheck: a fun & socially conscious blueprint to help the 99% get started investing'.

It's a quick read, and, if you can believe it considering that it's a book on investing, fun.

If you're looking for a simple and successful investing strategy, one that's purposely designed to keep you motivated, The Elephant's Paycheck is for you. And if you're already an accomplished investor, this book is likely for your spouse or your children so that they can become interested in what you're doing with the family's wealth.

Reader Interactions

Comments

  1. Vervelogic says

    October 15, 2020 at 05:05

    Thanks for shar­ing, this arti­cle is extreme­ly great and help­ful it is very use­ful for users. Thanks and keep Shar­ing.

    Reply

Trackbacks

  1. Creating An App To Support Your Website: Pros And Cons - DevTeam.Space says:
    June 14, 2019 at 10:40

    […] API calls can have fine-grained risk eval­u­a­tion and autho­riza­tion in case of a native app, and it’s an advan­tage over mobile web­sites. You can learn more about this in “4 rea­sons a native mobile app can be more secure than a mobile brows­er based app”. […]

    Reply
  2. Native Apps vs Hybrid Apps: Which One Should You Build? - DevCount says:
    July 6, 2019 at 08:08

    […] apps can be more secure for a vari­ety of […]

    Reply
  3. Turn your prototype into a native app – DesignVip says:
    June 18, 2020 at 16:28

    […] Last­ly, native apps which con­nect to the inter­net gen­er­al­ly tend to be much more secure than their brows­er-file cousins as they can avail of mul­ti-fac­tor authen­ti­ca­tion, accord­ing to David Bressler. […]

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Footer

Subscribe to stay in touch

If you enjoy the content I create, or the insights I share, please let me email you what I think will help you do better work.

If you don't double-opt-in by confirming your subscription, you won't be subscribed.

  • Email
  • Facebook
  • LinkedIn
  • Twitter
Copyright © 2021 · Genesis Theme Framework · WPEngine Hosting