I see the cause of confusion. I was assuming and talking about the case of the legitimate user have a root/non locked down device as being imputed as the "attacker". I don't think he was talking about other people stealing or having acces to your device. And in any case, all bets are off then if you meant that scenario. At least with a browser user can choose not to save passwords and the attacker won't get bank creds, so even in that case a web app would be better.
alt Hacker News
I see the cause of confusion. I was assuming and talking about the case of the legitimate user have a root/non locked down device as being imputed as the "attacker". I don't think he was talking about other people stealing or having acces to your device. And in any case, all bets are off then if you meant that scenario. At least with a browser user can choose not to save passwords and the attacker won't get bank creds, so even in that case a web app would be better.