On the other hand, the web as a runtime is one of the most universal platforms we have. If I run Slack in a browser, I sure do want it to be able to notify me! (Though I wish doing so felt more like the Electron app - I’d rather use my browser than Electron if the UX were similar enough. I already have a browser, I don’t need another per application!)
And as an occasional user of less popular mobile platforms (Ubuntu Touch, etc) a more featureful web runtime helps close the gap between those platforms and Android/iOS.
I do think it’d be better if these two use cases were more explicitly distinct than they are now, though.
Platforms have fallen back on walled gardens (app stores) with centralized control of all code execution to compensate for the deficiencies of their security models. I don't want a future where the only apps I can run have to be signed and approved by Apple ahead of time. The web is the escape hatch.
The real reason we see so many web apps is that the decision on what technology to use for an application is largely something developers decide (with "developers" i do not only mean individuals but also companies and organizations that develop applications) and the web gives developers pretty much complete control over what is going on in their application, what the users can do and how, allows them to force everyone use the same version, allows realtime monitoring of how the users use their applications and provides the vendor locking tightest than the most obfuscated native application could have (since all the data is stored in the servers).
Security is just a very convenient excuse since a lot of people shut down their critical thinking whenever it comes up (my guess for why that happens is that since a lot of people have been shamed by supposedly security experts and even more people have mimicked that shaming, we ended up with everyone just shutting up whenever security is brought up to avoid looking like That Clueless One that would be shamed next - but that is just a guess).
But the real reason is the heavy control that web apps give to the developers and the vast majority of users do not really understand how biased against them that setup is.
Also, while the UI is far from ideal (at least on Windows), you can block individual applications from accessing the Internet. It should be much simpler than it is now, though.
Though Android does try to address this with Google Play Instant (https://developer.android.com/topic/google-play-instant). I've never encountered it in the wild though.
I would also suspect that most users haven't any clue of the security implications of using something in a browser versus using an app.
And we got our phones through our daughter who works at Verizon, so when my wife moved from an Android to an iPhone they called me up and asked for my iCloud password which I, like a dumbass, gave them.
I just checked and I've got four more bullshit apps on my phone I need to delete :D
I agree, it's better, but the idea that you can just happily run whatever in the browser and it's all fine isn't quite true either.
But it is a lot better now than it used to be.
When it comes down to it - why am I exposed to untrusted code if what I'm trying to do, for the most part, is just browse and read info?
Perhaps we should separate browsers-as-app-platforms from browsers-as-readers.
Please stop the gaslighting. Virtual machines and sandboxes existed decades before browsers.
If I create a native Windows app and link people the .exe to try it out, approximately 0% of people who run it are going to run it in a securely sandboxed way. If I create a web app and link people it to try it out, approximately 100% of people who run it are going to run it in a securely sandboxed way.
Furthermore, some people will specifically avoid trying out the .exe I send them because they don't trust me fully with everything on their computer. As a developer that wants to show off things I make, I don't want this obstacle to exist. If I make a web app instead, I know it's more likely people will try it out.
I would rather run every application in its own VM under a different unprivileged user
P.s. the browser is the main attack vector on mobile, not only because it's so complex that bugs are everywhere, but mostly because web app security sucks
Citation needed. Browser-based attacks are difficult to come by, because it's just easier to attack an application instead.
You require a citation then make an assertion with with no supporting source.
Many game engines do it as well, just think about DOOM mods
I think the point is that browsers are not as good as an OS as an application platform (given the limitations) but are as complex as an OS and have more bugs
The fact that mobile apps are terrible is not an excuse for having a terrible document protocol used for applications
Apple invented mobile apps as we know them today,but native apps in general have served people well for ages
We are at a point where a native app with some API is more maintainable than a browser app
Not even talking about the ecosystem and its fiascos, like npm corrupted libs used by millions without even looking at a single line of source code or the famous leftpad incident
It doesn't really matter where the weakness is, if it is exploitable
As Alan Kay once said "the web was made by amateurs at best"
While website capabilities have evolved, the web UI itself has regressed. No major UI paradigms have emerged from the web since the 90s (except tabs, arguably). URLs, bookmarks, cmd-F Find, and clicking on links still dominate, except they work worse now compared to the 90s, because of SPAs and lazy loading.
Also, all of those features that rkagerer complained about would be even more abusable, because in general, Windows apps don't have to ask for permissions to those things. I don't get how someone could complain that it's bad for a web app to be able to ask for permissions to their contacts, and would prefer to have a native app (that can get them silently by default).
Maybe you could replace "Windows" with "iOS" in this hypothetical, which would improve the permissions side of things, but I think it's likely that Windows was only supplantable in the first place because of the popularity of things being on the cross-platform web instead of on native Windows apps, and especially as someone without an iOS device, I'd be pretty sour if the effort on the web went purely into a locked-down non-open platform I didn't have. I think the way the web has approached being a universal open-source/open-standard app platform is extremely exciting. The fact that web app buttons look different than iOS/etc buttons is a small price compared to the benefits, and is the sort of thing that can probably be solved within the model once developers think it's important enough to. (I think modern frameworks and/or the web components standard will provide a good base to get more native-like experiences common in the web.)
iOS initially had a web-app-only developer story (the "sweet solution"), but the quality gap between web and native apps was so undeniable that Apple reversed course and shipped a native SDK. It would be no different today.
The quality gap is not about buttons that look different. It's that nothing behaves consistently. Every site does its own custom thing, so users are forced into the lowest common denominator of interactivity (click or tap).
Examples: Gmail has its own fake windows, context menus, dropdowns, drag and drop, key equivalents, etc. and they all fall apart as soon as you try to do anything nontrivial with them. And it's been like this for 15 years, so I don't see any cause for optimism on this front.
A lot of your argument here is based on the assumption Google Chrome is open source software. Google Chrome is not open source, it's proprietary.
I remember when applications had to be tied to the OS, does it run on unix, linux, some other OS, or hardware... what a pain.
If it is a web app it probabbly works most places.
I want to turn off the application side of things for my safety (and I do), but too many sites require it unnecessarily to do the most basic tasks of displaying static text and pictures.
But browsers won't, because they have nothing to gain from it; and it would be way too confusing for many users.
And now many are tied to one or two browsers.
It's true that it has displaced things they were true document or file transfer systems (Gopher, FTP) because it subsumes those functionalities, but it wasn't ever just that.
I agree but I would be ok with them if they required explicit permission from the user before being allowed.