All applications for Bitrix24 can be separated into 2 types:
Embeddings and event processing cannot be implemented via static apps (based on html/js). This is due to POST queries from Bitrix24 being passed with set of parameters into embeddings and events. In response, web server cannot process a static HTML, when opening it.
Server applications located on third-party servers. Direct links for entry point and installer for such app (intended for public distribution, or as local app for a specific Bitrix24 account) are visible inside Bitrix24 UI, when adding the app in partners account.
When application is located on a third-party server, the apps host name must contain a period character ("."). The application for development and testing can be allocated in the local network, but, for example, localhost won't be suitable for such purposes. It's better to indicate a direct IP. (local address will be opened in iframе at the account's app page. There is a browser limit: communication between Bitrix24 account and the iframe contents is performed via postMessage. It was observed that some browser versions incorrectly process messages when they are incoming from localhost.)
There is no need to have a server, signed with actual SSL certificate at application development and testing stage. Self-signed certificate is quite sufficient if added to browser exceptions.
Server applications can both implement user interface inside Bitrix24 and handle data exchange using REST API.