HTML5 is widely expected to become the technology of choice for future mobile application development, as mobile platforms become increasingly fragmented, but the technology is not a panacea, according to David Akka, UK managing director of Magic Software.

HTML5 is the latest iteration of the HTML standard, used for building and deploying web content. While previous versions of HTML were designed primarily for marking up text-based content, HTML5 is much more interactive, allowing web developers to take advantage of new capabilities such as 3D graphics rendering and gesture control without the need for plug-ins.

Most smartphones and tablets now come with built-in browsers, allowing developers to create sophisticated HTML5 applications that can be deployed on multiple platforms, rather than having to build separate versions for iOS, Android, Windows Phone, BlackBerry and so on. HTML5 can also be used to build hybrid applications, which behave like native apps but have HTML5 inside.

The drive toward HTML5 application development comes from the right place, according to Akka. Developing for multiple mobile platforms means learning the native language of different vendors, each of whom has a completely different stack, different testing, different development paradigms and processes; so the cost of developing multiple platforms natively is substantial.

However, this does not mean the technology is ready for every implementation and, in particular, issues around security, synchronicity and the fact that it is an evolving standard can make it an unsuitable option for enterprises, said Akka.

“In the last 8 months, there has been a huge hype around HTML5 – this is now the secret ingredient for every successful mobile implementation,” he said. “Although we believe there is a lot of good stuff coming out of HTML5, we feel the need for caution.”

HTML5 has its own pitfalls

Akka said that the real issue with HTML5 is that it is still HTML. This means that it is open to many of the same security vulnerabilities as previous iterations of the standard, including SQL injection, which is the number one risk to web applications, according to Trustwave's latest Global Security report.

“At the end of the day this technology was not built to take data from an enterprise and try to use that on the go. It was more about content display, it was more about the viewing of pages, an organisational portal and things like that. Not really designed well for a transaction-based area,” said Akka.

Furthermore, it needs a large amount of bandwidth in order to synchronise the downloading and refreshing of different objects. If bandwidth is constrained – as is often the case when using 3G networks during peak hours or when signal is week – objects can become misaligned. For example, a Facebook tag of a friend might appear on the wrong photo.

The implications of this are particularly worrying in a business context, according to Akka. For example, if a business manager using a purchase order approval app on a mobile device receives the request to approve or reject a PO before the cost breakdown comes through, he could end up approving it without full knowledge of the facts.

“You think that there is obviously a bug in the software. You start looking into the code and you do testing and everything seems right, and then you start applying patches. Eventually you end up putting bandaid on top of a bandaid on top of another bandaid,” said Akka.

“This is very much the same as the situation 10 years ago when e-commerce came out. You used to shop, shop, shop, and put it all into your basket, but it would never get to the basket. This is a characteristic of HTML's infrastructure.”

Akka said that the synchronisation problem would probably disappear with the advent of 4G technology in the UK, but warned that companies need to be cautious about using HTML5 in the meantime.

One way to get the benefits of multi-platform development without using HTML5 is using a Mobile Enterprise Application Platform (MEAP). This allows developers to build their applications in the metadata of the MEAP, and that application is then automatically translated to each of the native platforms.

“People are trying to embrace HTML5 as a strategy to every mobile development, but the fact is you can achieve multi-platform with one single line of code with any MEAP,” said Akka. “The whole development is done via the MEAP – the tools, the language, the development environment, the development processes, the testing; it all comes as one package.” Suppliers offering MEAP technologies include IBM, Sybase and others.

Matching development with function

While most organisations are still likely to opt for HTML5 in the long term, a MEAP might be a good stop-gap until 4G becomes ubiquitous. Akka admits that, in ten years time, HTML5 is likely to be a major player in the mobile application development space, but warns that it may still be held back by the efficiency of the user interface for data input.

“If I compare HTML today to HTML five years ago it has improved significantly, and if the same trend continues, then probably it can be a major player in a UI front end, but not necessarily enterprise-grade,” he said.

“It's great when you need to type one or two fields. It gets a bit more complicated when you have to do heavy data entry.”

Magic Software has a large install base of customers around the globe, including Sky, Adecco and Hiscox, and Akka said the company has a very clear rule of thumb when advising them which route to take with their mobile applications.

“If it's content related or collaborative information – which is mainly pictures, images, diagrams, documents – go the HTML5 route, it's really built into that. If it's very much a transactional process – approval of purchase orders or something like that – go through a thin client native as part of a MEAP. You can still develop it once and it will deploy on every platform natively,” he said.

A joint survey by IDC and cross-platform development vendor Appcelerator earlier this year revealed that 79% of mobile developers will integrate HTML5 in their apps this year. However, HTML5 is still a work in progress, and fragmentation poses a challenge for developers. According to Appcelerator, there is a 20-30% difference in how different browsers consume content.

Meanwhile, security firm Sophos has warned that HTML5 could create new challenges for enterprise security professionals, because the browser itself will increasingly become a target for cyber criminals. New sandboxing in HTML5 also makes “clickjacking” more of a risk, as web pages are no longer able to identify where commands are coming from.

“Over time, HTML5 will fix many of the problems that we have, but as with any new technology you tend to get a regression in the first place,” James Lyne, senior technologist at Sophos, told Techworld back in December.

“Broadly speaking, we should charge full ahead in this direction, because Flash has been a pain and the new web apps are really cool, but we also need to make sure that we're not casually adopting a nightmare.”