>>>One argument against browser based applications is that they incur browser security holes: some holes thought to be closed reappear. Why not skip the browser ?
>>
>>Oh that's just as bad in apps. You can't see what an app does. Many apps are validated only when they get entered into the store - once they get updated the checks are minimal. There have been countless instances of data leaks with apps stealing login info and forwarding it to other servers. Those issues are universal - same with a desktop app. If you install a desktop - you don't really know what it does. So you have to be prudent about what you run. At least Web apps can't really muck with your local data - your only real worry is leaking secrets (cookies/passwords) but you have that issue in native apps as well, especially since most native apps actually log in through the Web anyway using oAuth.
>
>Mostly agree. The ways Android is following the bad windows example when trying to secure the user from unwanted write operation is not a good sign, but I prefer to delegate security to permissions and roles in the OS: it feels like capitulation to have to argue for browser based apps for security reasons. Especially if the one capitulated to has also security weaknesses ;-)

I find myself increasingly alarmed at the capabilities of so-called APTs (Advanced Persistent Threats). A few current examples:

Equation Group malware capable of reprogramming the firmware of hard drives and SSDs:
http://www.theregister.co.uk/2015/06/09/nsa_firmware_sighted_ctb_ransomware/

Duqu2 (non-persistent!) infecting Kaspersky (!!) for some time:
http://www.kaspersky.com/about/news/virus/2015/Duqu-is-back

German Parliament may have to replace all its computers and software:
http://www.itworld.com/article/2934135/security/german-parliament-may-need-to-replace-all-software-and-hardware-after-hack.html

One might argue that this stuff is state-sponsored and the average businessperson will never see it. I tend to think it will be used by tomorrow's cybercriminals, and next week's script kiddies.

At the same time, intelligence agencies in supposedly freedom-loving countries are trying their darndest to get crypto legislatively backdoored or weakened to uselessness:
http://www.theregister.co.uk/2015/06/02/itsavvy_congressmen_to_feds_can_your_cryptobackdoor_campaign/

I wonder if best practices (or some major court cases) will force important organizations to use highly secure platforms and development ecosystems. And if so, how it might spread to the world at large: for example, MallWart may decree it will only do business with companies running SomeSecureOS v.XX and running SecureApp 1.23 or later.

How will this affect development e.g. app vs. web-based? On first thought I'd tend to think a monolithic app would have less attack surface than loosely-coupled modules that depend on IPC or network communications.