Passcode is being prompted after taking a Photo on Android

[MattSynaptic]

We upgraded to the 9.2.1 using the new device passcode. Our app also uses the cordova-plugin-camera.

Steps to recreate:

1. Require passcode in the connect app in the Salesforce org.
2. Log into your mobile app and create a PIN.
3. Take a photo (using the cordova-plugin-camera).
4. It brings up the camera, take the photo, and when you return to the main app it prompts you for the passcode again.

This isn't happening with the iOS version of the app and didn't happen with the 9.1 version of the Salesforce SDK for Android.

The app probably thinks its leaving the app and then returning, which is technically true but its not a great user experience. Is there any way we can prevent this or at least make it not prompt the passcode if you return within 10 seconds or something like that?

[gkotula]

Hi MattSynaptic,

Unfortunately connected apps don't have the capability to define a "grace period" between backgrounding and foregrounding for when the app should lock behind a PIN. Adding that feature to connected apps would be a large effort and we cannot commit to it at this time.

The PIN lock behavior did indeed change between 9.1 and 9.2.1, and now the mobile app requires a PIN every time it goes to the background. This brought the app behavior in line with connected app policies, and the Mobile SDK is not allowed to override the Org behavior since that creates a security concern.

FWIW the reason why iOS is not experiencing the same issue is because the camera is launched as a "popover" and the app never actually goes to the background. With Android using Intents and launching separate processes, this issue is impossible to avoid.

[MattSynaptic]

So to clarify, the pertinent change here in Android from 9.1 to 9.2.1 that the minimum on the PIN that you would set in the org with 9.1 was 1 minute and so the user wouldn't see the PIN screen unless the sat with the camera open for more than 1 minute. On 9.2.1, the user always sees it because the timeout is immediate, correct?

[gkotula]

Correct. See the Mobile Passcode Policies section for further details: https://developer.salesforce.com/docs/atlas.en-us.noversion.mobile_sdk.meta/mobile_sdk/android_passcodes.htm

[gkotula]

Hi @MattSynaptic I wanted to follow up on this issue to let you know that with Mobile SDK 10.1.1 the PIN timeout from the connected app settings in your Org is once again respected. If the app is backgrounded for longer than the timeout set in the connected app settings, the lock screen will show. It is no longer immediate. The PIN length setting is still ignored, deferring that to the device's settings.