Let's rewind the clock to January 9th, 2007. On this day, Steve Jobs unveiled the first iPhone. A truly mobile computer had become available to the masses. The idea of shrinking the home computer down to a pocket-size form factor had been a highly sought-after goal. A number of attempts by various companies had been undertaken in the years leading up to this day. But Apple was the first to nail a form factor and UX that was both intuitive and appealing to almost anyone. A big question lingered among both users and developers: How was software going to be shipped to and accessed on this thing?
Steve Jobs envisioned the mobile experience as being browser-first, where the vast majority of apps would simply be web apps accessed via the mobile browser (Safari). Only apps for which the use case dictated a native, bare-metal environment would be installed as stand-alone software. However, by 2008, Apple caved to market pressure pushing for a channel through which developers could ship native, stand-alone apps to users. The Apple App Store was born.
Moving into the 2010s, many tech companies rapidly realized that the most valuable asset they owned was their users’ data. It wasn’t long before the tech industry tried to take advantage of the smartphone and harvest the trove of unique, encompassing metrics it made available. For the first time, companies could harvest dimensions of information not previously possible. Real-time, high-accuracy location data could now be correlated with usage characteristics and user contacts. Given that smartphones were still a relatively new technology for most end users, little regard was given to installing the wave of apps being pushed by companies. Offers for free stuff were everywhere in exchange for installing an app that often had broad access to your phone.
With the explosion of the smartphone app market came security attacks... bad ones. Many users began to become a little more wary of installing apps on their phones. It’s rather ironic when you take a moment and ponder the fact that much of the invasion of privacy and serious device compromises could have largely been avoided had we simply insisted on the “mobile browser first” philosophy. We often forget that our browser, when set up correctly, provides a fair bit of sandboxing protection. They can protect our devices and the information on them from being exfiltrated. The stateful nature of the mobile browser also offers a vastly improved ephemeral execution context compared to natively installed apps. Naturally, they are not immune to attacks; end-user risk and software vulnerabilities are factors that will always remain. But the attack footprint is minimized when using the mobile browser.
In response to serious vulnerabilities and exploits shipping through mobile apps, both Apple and Alphabet began tightening their app distribution platforms. Greater effort was made to scan apps for malicious code, and operating systems became more conservative about prompting users for and granting permissions. Companies, in their insatiable thirst for user data, desperately looked for ways to push more users onto their native apps. This brings us to the present day, where you will find many companies putting negligible effort into their mobile websites—or outright handicapping them. Just about everyone has likely visited a website or platform on their mobile browser and been prompted to instead install the app. The UI in many cases has been designed to render the site unusable for the non-technically savvy. Most end users give in due to sheer frustration and install the app.
Unsurprisingly, this has led many companies to under-invest in the mobile versions of their websites. The mobile browser should have kept users more secure and allowed them to better protect their privacy. It should have created a common universal language stack for all devices. It should have allowed CI/CD to truly be realized. But alas, here we are. In closing, two sayings in particular come to mind when discussing this subject: “If you aren’t paying for the product, you are the product” and “You can’t unring a bell.” In conclusion, if you’re reading this and you care about tech privacy and ethics, next time you are tempted to install an app, ask yourself: “Do I really need this? What data could it now or in the future exfiltrate from my device? Is this app worth the risk of future vulnerabilities, especially given the scope of access it has on my device?”
Long live the mobile browser!