[OWASP-Ireland] Secure application development in Mobile apps

[John Marmelstein]

I'd suggest that a major risk from a fat client is a badly-implemented
official version of the client, as opposed to some hacked one, as the
article discusses. There's nothing inherently wrong with using a fat
client, as long as all communication goes via some secure channel. But,
a development error could break that principle. 

With a thin client (ideally pure, basic html) you have the browser's
pretty well accepted security available. This generic security
implementation is most likely better than any custom implementation.
Granted some custom code might also be needed, but the less of it (and
the more isolated) the better!