I just finished a mobile app reset to go along with my password reset. The recent Facebook email fiasco gave me pause; though I wasn't affected, it was a reminder of how much power apps can have, and how important app permissions are.

So I took a good look at the apps I had installed and deleted all but the ones I really wanted. It was easy to delete the apps I no longer use. But taking things a step further, I deleted any app that also has a decent mobile web experience. Most services have at least a simple mobile site, while sites like Twitter or Google+ have sites that rival their apps. There are still a few features missing from the browser, like camera and notification support, but I don't really miss them yet (and I’m trying to cut back on notifications anyway).

I imagine there will come a day when all or most phone features will have a corresponding web API. While that gives the browser a lot of power, it still feels safer to me since:

  1. browser APIs operate on an ask-first permissions model. For example, the browser asks the user before giving location information to the site. Contrast this to the app model, which must ask for all permissions up front, even if the user doesn’t need or want them.
  2. if there is a browser vulnerability, the fix applies across all websites. In an app model, each company is responsible for its app’s own security.
I'm focused on the consumer security aspect here, but there are a lot of other good reasons to develop for the mobile web.

What’s left on my phone are apps that can only operate as apps (such as Kindle, BeyondPod, Sonos and Rdio), and then a bunch of Chrome bookmarks. The bookmarks look like app icons, but they all lead to mobile web sites: