Information about Secure Access to MIT App Inventor

Starting soon we will be making MIT App Inventor available over https. This is a significant step in improving the security of MIT App Inventor.

However it is not without cost. In particular the “Legacy” connect method between the browser and the Companion depends on not having MIT App Inventor served over https.

The reason for this is that the Legacy mode works by having the phone/tablet run a web server. It is not possible to run a secure webserver on a phone/tablet, for reasons that are beyond the scope of this document.

Chrome and Firefox (and likely other browsers) enforce a rule that pages loaded over https (aka secure pages) cannot connect to insecure servers, such as the one run on your phone/tablet. In legacy mode, the browser connects to the (insecure) webserver on the phone/tablet 1. So when you load MIT App Inventor over https, legacy mode will not work.

Non-legacy mode connections make use of the newer WebRTC communications system to connect between the browser and your phone/tablet. WebRTC doesn’t require an insecure web server on the phone/tablet, it provides its own security.

Footnotes

  1. Although the connection is not over http (therefore considered insecure) we provide our own security layer when communicating with the Companion, but Chrome/Firefox do not know about that. 

MIT App Inventor

© 2012-2025 Massachusetts Institute of Technology Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
Terms of Service and Privacy Policy
App Inventor Support: Community
Other inquiries: Email
GitHub: mit-cml
Accessibility: accessibility.mit.edu