Some people have asked similar questions about protecting HTML5 apps and protecting freemium apps, but not both together. I’m asking this separately because I have the impression (whether right or wrong) that HTML5 is particularly insecure vs native.

I’m working on an embedded HTML5 app I want to monetize using the freemium model, but I’m worried about how to keep its virtual currency and scoring variables from being too easily messed with by the end user, as I fear this could negatively impact revenue if some hacker (no offense intended by the term) were to create a YouTube video or blog posting about an exploit. I think it is pretty unlikely early on for this to happen, but I think vulnerability will matter more with popularity. I’m also worried about with which someone can copy an app.

I though realize both are possible inherently with an app installed on the device.

My questions are:

1. How easy is it, in your opinion or experience, to mess with an
   unobfuscated embedded (not browser dependent) HTML5 app and its Javascript vs a native app with core files based on Java or Objective-C data?/How well does obfuscation work on HTML5 apps vs native obfuscated
   apps in terms of data protection?
2. How difficult is it to obfuscate an HTML5 app vs using something like Proguard on regular Android apps?
3. Does obfuscation cause HTML5 to noticeably slow down for normal users?
4. Lastly, do you think it’s practical to have an HTML5 app with
   freemium features? Or do you personally think it is too vulnerable?

What I’m basically trying to figure out with them is whether HTML5 is particularly vulnerable or hard to protect, at least when compared to protecting native apps. If an obfuscated HTML5 app is as secure or insecure as a regular app, then I guess I’m okay with it.