no biometric or alternate secure requested on start

[rebwalz]

Describe the bug

on starting the App on my iphone, there is no secure request to enter the app if no biometric or alternate secure is saved on mobile device.

Expected behaviour

On starting the App there have to be a login mechanism with biometric data or pin or template. If there are no biometric data saved on mobile device, the user has to save one secure login possibility. Otherwise a start of the app is not possible.

Steps to reproduce the issue

1. restart the iphone to be sure no app is running anymore
2. open the walletApp
3. no login is requested

Technical details

IPhone Xs IOS-version: 14.4. (18D52)

Possible Fix

Additional context

[yspreen]

Interesting. Can you take a screen recording? Does the phone have a passcode set? Does the phone have biometrics set in system preferences?

[yspreen]

Okay I see:

if no biometric or alternate secure is saved on mobile device.

The question is, do we want to support such insecure devices?

[yspreen]

This is actually by design right now, but we should inform the user for sure.

[rebwalz]

This is actually by design right now, but we should inform the user for sure.

In android we have another behavior. On start the android app the user has to save biometric data or a pin or a template. Otherwise it is not possible to start the app. We should have on both types of devices the ame behavior. And in the specification is written, that a login is necessary.

[yspreen]

iOS Doesn't allow us to record biometric info specifically for the app. It can only be used with the same data that's stored to secure phone unlocking.

We could ask the user for a pin instead. Then we'd have to store that pin, and design a new UI for setting and checking the pin. Specifically for phones without a phone pin code.

[yspreen]

I'd vouch for an info screen: "please set a passcode for this device so that we can verify your identity"

[rebwalz]

I'd vouch for an info screen: "please set a passcode for this device so that we can verify your identity"

That is the way, it works on android. If the user doesn't set a passcode on device, the app isn't starting

[rebwalz]

on ios12 everything works fine. After testing same on ios 14.4, the walletApp shows no message and does not start. If you have no idea, that you need a secure passcode, the user will have no idea, why the app is not working.

[yspreen]

Agreed, this is why we're fixing this.

Can you confirm both apps run the exact same version? The OS should not make a difference here

[rebwalz]

i deinstalled on both devices the wallet app and made a new installation.

[yspreen]

I don't have a device without Passcode to test on. @PaulBallmann can you debug this?

[rebwalz]

you can remove the passcode very easy on every device. Just go to settings->face ID & Code> there you can remove the app permission

[yspreen]

Sadly that removes all biometric data and training as well. While also forcing you to re-login into all authentication, tan, and banking apps. It's not worth the hassle if someone else has a testing device ready :)

[rebwalz]

no, it is possible, the faciID just to remove for the walletApp, if you find the setting: face ID & Code the is a setting "other apps" there are alle apps listet and you can remove the face ID only for wallet App

[yspreen]

Sadly that only removes biometric authentication. It then asks me for my passcode as a fallback. The issue you're describing doesn't come up

[PaulBallmann]

Once my test device updated from iOS 12 to iOS 14, I can debug the issue.

[PaulBallmann]

I opened a pull request addressing the issue. I tested on an iPhone 6s with no biometric data or passcode set on iOS 14.6.

[yspreen]

It's merged on main. 1.0.1(4) should fix this. Thanks @PaulBallmann !

[rebwalz]

In latest release (1.0.1 (3) May 27,2021 at 17:26) the behavior is still the same.

[PaulBallmann]

@rebwalz Have you tried with 1.0.1(4) e.g the current on main? The issue should be fixed there but afaik theres no new release yet.

[rebwalz]

I have no possibility to test it without a new release.

[PaulBallmann]

We will be deploying a new release today for you to test as soon as the open PRs are approved.

[PaulBallmann]

@rebwalz - Wallet app 1.0.2 (1) should include the fix.

[rebwalz]

With the delivered Version on May 28 (Version 1.0.2(1)) everything works fine. Is it possible to refresh the releases in Github?