Native versus HTML5 security - is there a third way?
Native versus HTML5 security - is there a third way?

Those five words seem to reach a decision, but in fact they're the beginning of a whole raft of choices. Making sure that you are providing a mobile-accessible service is increasingly of critical importance. Whether you're giving your customers access to financial services, providing tools for business, or have an idea that could be the next Tinder, there are big decisions to be made. For example, will it be available on iOS or Android, or both? Will you consider Windows Phone? Will it be paid-for or free, or both (otherwise known as freemium)?

But one of the first decisions that needs to be made, before a single line of code is written, is which of the two main ways to deploy the app to use – a native app, or an HTML5-based mobile web app.

Neither seems to be ‘winning' the debate – both have their advantages and many big organisations employ both. Google has both a native Gmail app installed as default in every Android phone, and a mobile web version of its email system that's almost as slick. Big news organisations such as the BBC and CNN have iOS and Android apps available, and their stories are available on their responsive websites that detect if you're browsing by mobile.

One area where it gets tricky though is when high levels of security is required – and any app that has any kind of sensitive data should have high security, whether that's dealing with a customer's financial data, an employee's remote desktop, or a potentially embarrassing dating profile.

Currently, the choice for these applications is obvious, if you need more than a simple password – you have to go native. If you want to implement two-factor authentication, then mobile web apps require hardware or software-based one-time passwords. Logging in then becomes a hassle – users are required to copy and paste codes from other applications or carry around tokens in order to identify themselves. This hampers adoption – a problem in an already-crowded marketplace. Native apps, on the other hand, can use the device itself to aid security.

Despite the issues around security, there are numerous advantages to HTML5-based mobile web apps that can make it a far more attractive development platform. Developing one app that can be accessed, via a browser, on any device cuts down on costs and the time to market. Updates can be rolled out silently, rather than through the app store, which makes fixing bugs and updating the user interface far more efficient. There can also be accessibility advantages, as many calculations  can be done remotely rather than on the device – the owner of a couple-of-generations-old iPhone can enjoy the same experience as the owner of the newest Android device. But these advantages are off limits to any app developer who also needs strong, hassle-free security.

It is also far from simple to switch strategy from native to mobile web – or vice versa – several years down the line. Much of your coding time would have to be considered sunk costs and the applications rebuilt from the ground up to make sure it is optimised for the new platform. Plus – as is obvious every time Facebook or Twitter makes a UI change – people can get very upset at very small changes to their apps. Every change risks losing a chunk of your users.

If you're a developer, you could be left with a tricky choice. Do you deploy a native app with a slick, secure login process, or do you go down the HTML5 route and face another dilemma – inferior authentication that leaves your users vulnerable, or burdensome authentication that leaves them irritated, and heading to your competitors.

The solution lies in a nifty mixture of native and mobile web apps – ‘hybrid apps'. A hybrid app is a native app ‘wrapper' containing a browser dedicated to accessing a single mobile web app. The user experience is of accessing a mobile web app, but through a downloaded app rather than a browser shortcut. The native app ‘wrapper' is where authentication takes place, barely noticeable to the user, so innovative multi-factor methods that use the device itself as an authentication factor can be used, rather than a token.

“We need a mobile app” may be only five words, but they throw up a raft of questions that require important decisions. The good news is that high security that isn't a barrier to adoption doesn't require a choice. It's available whether the choice is native or HTML5.

Thomas Bostrøm Jørgensen is CEO of Encap Security