This blog enty is part 2 of my thoughts on offline web applications on mobile devices. In case you haven't seen part 1 and are interested in this topic, you might want to read part 1 first before continuing here.
When allowing web applications to store data offline and to access locally available information a number of issues arise that require special attention:
Data Synchronization
When storing data both in a local database in the network, the databases have to be synchronized once the mobile device regains network connection. Even for single user applications local and remote database synchronization is not straight forward since the user could have first used the application on the mobile device while it was offline to change some data and later on via the desktop that modified that data in the network. This means that when the mobile devices goes online it can not assume the data base in the network was not modified. Thus, the application needs an algorithm to compare the changes made in the database on the mobile device with the changes made in the database on the network and then modify the local and the network database accordingly. The same applies to multi user applications such as shared calendars.
Access to Local Information Outside the Browser Cache
A big advantage of mobile devices is the ability to support the user’s creativity at the point of inspiration. When pictures, videos, podcasts, blog entries etc. are created on the mobile device they can automatically be enriched with other information such as GPS location before being instantly sent to a picture and video sharing site, blogs, etc. Current web applications, however, do not have access to files and other local data beyond what they can write into the local web database themselves while the device is not connected to the web. In the future it is thus necessary to create an interface for web applications to enable them to access user created content and additional information such as location information. Access to local information needs to be dealt with carefully as it presents a security and privacy issue as will be further discussed below. From the technical point of view the big question is how web applications could gain local access in a generic way to make them interoperable over a wide variety of devices. Some devices might have more sources of information than others. As using proprietary APIs to access such information would make web applications device specific, a standard set of functions must be designed which are then translated on each device into proprietary operating system commands.
Security and Privacy Considerations
Allowing a web application to store data locally or to even access local information beyond the browser cache has a number of security and privacy implications which have to be considered when implementing such functionality.
The main issue with having a local application and data cache in the web browser is that JavaScript applications can use the local cache for user tracking. Advertisement platforms could use the local interface to write a JavaScript program that is included in all web pages of their advertising partners and that records from which page it has been invoked in the local cache. When the same JavaScript application is executed again from a different page it reports the last page back to the advertisement server which can then generate a user profile. As most users are unlikely to agree with such methods the user has to be informed that an application wants to store information locally and what kind of privacy issues this could bring with it. The user should then have the choice to allow or deny the use of local storage either temporarily or, in case the JavaScript application is trusted, permanently.
Access to local device information outside the browser cache is even more sensitive as malicious JavaScript applications could read private data of the user and send it to a server in the network. Therefore, the user has to be informed about the JavaScript application trying to access local data and give the user the possibility to allow or deny the request. It is then for the user to decide whether he trusts the application and thus allows access to local resources. Again, the user should have the choice to allow access temporarily or permanently as trusted applications should be able to access local data without further queries to the user once agreement has been given. Otherwise, usability of the application would suffer.
As always, comments are welcome!
Getting the equivalent of a popup asking "Yes/No - do you want to allow access?" is not good enough for the average user to make an informed decision. There should be at least some dynamic risk rating associated with the site (so if a trusted site asks for something out of the ordinary, the risk rating would increase). Ideally, the user would be informed of identity theft, marketing attempts, viruses, etc., but that may take a while.
Posted by: Chris Vail | December 18, 2007 at 10:59 PM
Hello Chris,
thanks for the input. Indeed a think a simple yes/no question is not enough. So the question is at which point does the user stop reading because there's too much text in the warning... Not easy.
Cheers,
Martin
Posted by: Martin | December 20, 2007 at 09:39 AM