Why HTML5 is not the choice for enterprise mobility
David Akka, UK MD of Magic Software, explores the buzz around HTML5 and why it may not yet be the right choice for enterprise developers
HTML5 is being hailed as the programming language that will not only enable developers to achieve multi-purpose web application development, but ultimately solve many issues facing mobile development.
As a result, the buzz around the technology is intensifying, further proof of which came from a recent survey of 1,200 developers, which found that 75 per cent are using, or plan to use, HTML5 for app development. Perhaps this is partly due to recent accolades, such as Adobe’s public denouncement of Flex in favour of HTML5, hailing it as the best technology for creating and deploying rich content to the browser across mobile platforms.
HTML5 offers some real advantages in the consumer space and for tools such as social media and video. However, the reality is that it’s not mature enough as a tool for business applications. Issues such as security, synchronicity and the very fact that it’s an evolving standard make it an unreliable option for enterprises. Consideration of these pain points offers a reminder that, while the future may be an HTML5 one, right now it’s not the panacea for mobile development. Moreover, for those looking to mobilise their enterprise applications, the priority is that sensitive data is kept safe, and applications perform as they should.
Security concerns
The security of data is a key concern, and the vulnerabilities that we associate with HTML applications – phishing, malware and denial of service attacks – still apply. In its new 2012 Security Threat Report, Sophos cites that HTML5 offers cyber criminals “new ways to trick people into passing on potentially sensitive data or installing malware”, and that “the sophisticated presentation layers that can be created using HTML5 ‘blur the lines’ between what's running on the device and what's on the internet”.
There is a fundamental danger that HTML5 will offer an open gateway to the corporate network, and, with the proliferation of mobile devices accessing networks, this is too much of a risk to take. There is also a key question of trust – when it comes to enterprise data, would you trust an HTML5 application in its current iteration to keep your data 100 per cent safe? Do you want to use JavaScript to get your data from SAP?
When it comes to developing for enterprise applications, synchronicity is key, and perhaps the primary concern when it comes to HTML5, is that it is an asynchronous technology stretched to become synchronous using JavaScript. JavaScript relies on the synchronisation between different document objects, the download and refresh speed of which can be significantly affected by bandwidth. The downside is that synchronisation between objects can be broken when 3G drops speed based on factors such as utilisation and coverage.
A common example is when using a Facebook iPhone application and receiving a notification that a ‘friend’ has tagged a photo of you. Since the 3G coverage in your area is weak, you might not recognise yourself in the picture, or else the tag has come through before the picture. A comparable business context could be using a PO approval app on a mobile device that runs on HTML5, and receiving a request to approve or reject it before the cost breakdown comes through. This would effectively mean approving without knowledge of the full facts. While for social media apps there may be less severe consequences, in the enterprise there is far more sensitive data at stake and huge implications for the business if things go wrong.
Evolving standard
The very fact that HTML5 is an evolving standard means it's not a ‘model de facto’, but a technology that is still in its infancy stages. The World Wide Web Consortium (W3C) will not finalise the definition of the HTML5 standard for several more years, which poses significant levels of uncertainty around its validity and reliability. For example, given the issue with synchronisation between objects, developers will find they constantly have to patch problems when HTML5 doesn’t perform as it should, which will cost money and time. Unfortunately, when working with an immature technology, an entire code can very quickly become unmanageable. Certainly when 4G arrives in the next four to five years, many of these concerns will evaporate, but until then we have to consider HTML5 in the context of 3G, and therefore not a foolproof technology.
Jeffrey Hammond, principal analyst at Forrester, says that “it isn't simply a question of either/or; there are four viable approaches to choose from: native, hybrid apps (native code with HTML and JavaScript), mobile middleware platforms, and a web approach (HTML5 and JavaScript)”. This suggests that HTLM5 is not a “one-size-fits-all” solution in its current state, but rather what should be considered is a hybrid approach that will suit a complex mobile strategy, taking into consideration how people are using particular apps. Native app development, mobile middleware platforms and a web approach, can all in fact be viable choices for enterprise application development.
In four to five years time, when 4G will be widely available, HTML5 might well have matured enough to be seriously considered for a range of different development purposes, including as a tool for business applications. Until then, in order to successfully develop for enterprises, it's more sensible to opt for something that can run natively. This means applications can be optimised to the programming interface that a specific device platform offers. Mobile application platforms are built on the same premise as HTML5 – develop once, deploy anywhere – but they have none of the above mentioned issues around security and synchronicity, and so offer a much safer option until HTML5 technology matures.
17 comments
Comment: 1
Are you talking about HTML5 or the W3C here?
Comment: 2
Also, HTML5 is not a programming language. HTML is a markup language, Javascript is a programming language.
CSS 3 could easily be used in enterprise apps. The problem is sticking with versions of the least capable browser in existence (IE) screws everybody.
Comment: 3
"There is also a key question of trust – when it comes to enterprise data, would you trust an HTML5 application in its current iteration to keep your data 100 per cent safe? Do you want to use JavaScript to get your data from SAP?"
Javascript is not the protocol used for retrieving data, just the scripting language that deals with the data returned. 2048 bit encrypted HTTPS would be the protocol in most cases.
"A common example is when using a Facebook iPhone application"
well if it is an iPhone application it is written in Objective C not HTML/Javascript etc.
"Since the 3G coverage in your area is weak,"
How are network issues any worse with HTML based apps compared to any other system, a native iPhone/Android app is going to have problems if you have no network just the same as a HTML app.
I could go on
Comment: 4
If banks are using mobile apps and mobile sites, then the security is there. If you are approving things without being able to see the entire content then you're an idiot.
"Until then, in order to successfully develop for enterprises, it's more sensible to opt for something that can run natively."
Hmm, I believe you covered that when you took Jeffrey Hammond's quote totally out of context. Why not use a hybrid native/HTML5 app developed with PhoneGap (or similar) & cut down the costs to port to mobile web and go cross platform a lot easier than porting to X number of OS languages? In fact the link you cite even shows that he is talking about exactly that.
From his companies strap line: "Do it once. Do it Right". Dave, you're doing it all wrong baby.
Comment: 5
The days of building the same app ten times for ten different native platforms and billing the client for it are almost over, thankfully.
Terrible article .Net - please don't run one like this again.
Comment: 6
If you use Flash/AIR stuff or true native apps, things have to communicate to the backend so I fail to see how HTML5 would make this more risky.
For example: "JavaScript relies on the synchronisation between different document objects, the download and refresh speed of which can be significantly affected by bandwidth". That's valid for any client/server app!
What you basically say is mobile business applications are risky and bring complications. Yes, but that's not news, that's filler.
".. and that “the sophisticated presentation layers that can be created using HTML5 ‘blur the lines’ between what's running on the device and what's on the internet”."
Really? This is so weird: do folks trust software more because it looks like style text instead of a real graphical UI design? Or do they trust good looking things more because they assume it's native? What does the look of something REALLY say about how secure it is? And besides, a crappy native app is worse then a proper HTML based one, and so is the reverse.
Comment: 7
HTML5 with javascript leaves potential security holes, lacks data buffering and various interface options typical to real applications. The html5 security is as solid as the browser is, and its very easy to leave room for javascript injection. Its much easier to trick people using infected/ redirected webpage or scripts than by binary virus with infected file. With html you keep downloading same data all over, so its always slower to work with it.
Because of all those Ipads/Iphones and androids being advertised and hyped, the managers go crazy and think that HTML5 will solve everything now and everybody will be using it everywhere, but platform applications have its role mainly for work efficiency and less data throughput requirements and will never faid off, also its much easier to lose code integrity of whole project with scripting languages
HTML5 is nice, offers a lot of potential, but it would be wrong to just force it everywhere, not everything is just about light UI design
Comment: 8
That being said I find your statement utterly useless at best. All platforms are vulnerable, all platforms have issues, and when those issues will be fixed new ones will crop up, thus provoking an endless state of progress.
Comment: 9
http://www.kevinsweeney.me/post/18384940943/html5-enterprise-mobility
Kevin is a developer for Vimeo.
Comment: 10
And is there such a thing as a web-based technology that is NOT asynchronous?
Comment: 11
http://www.davidakka.com/enterprise-mobility/html5/
Comment: 12
This guy has no idea what he's talking about. That's why those "enterprise" guys are dying.
Comment: 13
Customer buys proprietary vendor product to handle their enterprise mobile requirements, pays vendor a significant fee to produce an app to manage their customer interaction.
1) The business requirements of the app change. In consultation with the vendor, the customer discovers the application doesn't support the features required to meet the objective, and the feature may *possibly* be available in the next version which will be available 6 months from now. Customer's business strategy has to be altered to accomodate. No guarantee that the expected feature may appear in the next version of the app, as the vendor has 30 other customers and it's own internal decision processes over which elements are most important for the next version of their framework.
2) Customer discovers that some of their internal communications mechanisms are a bit bespoke, and don't follow industry standards. Vendor product supports basic mechanisms for information transfer and can't meet the requirements without significant lengthy calls between developers on both sides to put together a less than ideal solution to the problem.
3) Product support is 9am-5pm and is down primarily to the physical availabily of people. "Native" standards like HTML5 - thousands of developers and google support. FTW.
Basically my point is, with "native" industry standards you have options. If HTML5, Objective C, Javascript etc doesn't cut the mustard in a given scenario, then you can use other frameworks and solutions. With vendor based managed solutions, more often than not there are additional limitations added to the development environment, and your options can be restricted by the limitations imposed by the vendor's product.
If the vendor is a small outfit, reaching for a bigger market - your company might be part of their learning curve - they might learn the lessons, but at what cost to your business?
Comment: 14
Sustainable development is about saving money. Do it right, do it once, pay for it once.
This however is not an argument against HTML5 and its development in itself. But did we really need an article to tell us that companies like to use technologies that aren't likely to change at the relative drop of a hat...
Comment: 15
And the talk about compatibility is utter nonsense; HTML5 is perfectly backwards compatible, even with IE6 and the remarkably poor NetFront browser. People worry far too much about IE compatibility - especially in a world where a new browser comes out every month. To design specifically for ANY browser is a recipie for disaster and a completely unsustainable approach. If anything HTML5 makes it EASIER to create cross browser compatible layouts, not the other way around!
This article is shockingly sub-par for .net and I'd advise the author to concentrate on topics for which they have more than a rudimentary understanding. It seems to me he is confusing a whole bunch of concepts into one; application layer, HTML5 markup, asynchronous Javascript driven UIs and CSS3. These are separate and distinct disciplines which have little or no relation to one another. Grouping them all together under the HTML5 banner is insulting those of your readers who do this stuff for a living - and far worse; confusing those who are just starting out.
Comment: 16
Comment: 17
HTML 5 does not say you access SAP with java script. Its just a replacement for HTML on mobile. I don't understand when everyone embracing HTML on web so much for most of the application what is the problem for security sync and any of such BS with HTML5? Yes, certain applications run on desktop computers so as will be on native platforms,