Web apps get HttpOnly cookies — session tokens the browser sends on every request but client-side JavaScript literally cannot read, neutering most XSS exfiltration. Native mobile apps don't get that primitive. They roll their own with SharedPreferences / UserDefaults (a plaintext drawer), Android Keystore / iOS Keychain (better, but not script-isolated), or hand-rolled encryption that kicks the key-storage problem down the road.
The full post walks through why the gap exists, the trade-offs of each native workaround, and the case for a platform-level equivalent of HttpOnly so mobile devs stop choosing between a leaky token store and a homegrown crypto scheme.
Originally published at andreasbergstrom.dev — read the full post there.
Top comments (2)
I believe you don't fully understand the notion of HttpOnly cookies in the browser and you are wrong feeling being left out as native app developer. The browser's client script does not have access nor can write to this type of cookies, so the native apps shouldn't obviously have access to HttpOnly cookie jar. Browsers receives from and sends back to the domain upon a client request. I think Android/iOS mobile apps have similar functionality to store server set cookies through cookie store
Hi! Not sure about pure native Swift/Java apps, but in React Native cookies are officially not stable:
reactnative.dev/docs/network#known...
github.com/facebook/react-native/i...
locastic.com/blog/react-native-coo...