I think there is still case for no network as default. At the very least, offline web apps connecting fit updates without prompting will be enabling the radio on every open of the app, slowly draining the battery.
I tend to hear "if X, use a packaged app" and wonder "okay, for now, but what problem does that mean we could fix?" On Jul 10, 2013 6:09 PM, "Matt Basta" <[email protected]> wrote: > > 1- anyone by checking the network traffic can see that I have this app > installed. > > This is a problem for any app (offline or not) that uses HTTP instead of > HTTPS. > > > 2- doing MiM it is possible to inject code on the app and leak all the > passwords I type in the app. > > This is also a problem that is not unique to offline apps. > > > Using SSL for your app should mitigate if not eliminate the problems that > you are facing. Only the final destination of the request can be discovered > over an encrypted connection (who the user is connected to). The risk of a > MitM attack is also greatly mitigated since SSL connections can do some > checking to make sure that you're connected to who you think you are > (through some clever crypto). > > If you're looking to remove the need for a server entirely, consider a > packaged app: > > https://developer.mozilla.org/en-US/docs/Web/Apps/Packaged_apps > > A packaged app doesn't need to connect to a remote server at all, meaning > that there's no communication to be intercepted or tracked. > > > Hope this helps! > > > > ----- Original Message ----- > From: [email protected] > To: [email protected] > Sent: Friday, May 31, 2013 8:32:36 AM > Subject: Create an offline packaged webapp > > I've been puzzled for a while trying to get an offline packaged app. > > I have packaged my app, and also used html5 cache and localstorage to > store all the user settings and (theorically) prevent the browser from > checking the internet for updates. > > But seems like nothing can't prevent a webapp to check on startup for > changes on the online site. It's not a funcional problem, the app currently > works fine offline and online, but it can be a security issue for the > following reasons: > > 1- anyone by checking the network traffic can see that I have this app > installed. > 2- doing MiM it is possible to inject code on the app and leak all the > passwords I type in the app. > > This is why I want the app to never look for changes upstream. > > I have discussed this on #b2g and i've been redirected to this forum. I > know that default system apps (camera, gallery,. ..) are packaged apps and > they work well (not checking network on startup). How can I make my > packaged app work in that way? > > Here's the app for testing this issue: > > http://hass.ffos.lolcathost.org/ > _______________________________________________ > dev-webapps mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-webapps > _______________________________________________ > dev-webapps mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-webapps > _______________________________________________ dev-webapps mailing list [email protected] https://lists.mozilla.org/listinfo/dev-webapps
