One of the first things I struggled with, though, was how to access the data through the SharePoint Client Object Model in the Host Web. Every code sample out there just works with data within the app, and doesn’t try to go back to the Host Web to get the data. Since there is a security barrier between the app and the Host Web, you can’t access data in the Host Web through the client context of the app. You must retrieve the site through a special method in the SharePoint API called AppContextSite.
Over the last couple months, I’ve been working on a SharePoint app in my spare time. The app, which is SharePoint hosted, requires site collection permissions and reaches back to the Host App to inspect lists and other objects to identify common issues that impact the performance of SharePoint.