search

venmo / VENTouchLock

A Touch ID and Passcode framework used in the Venmo app.
MIT License
965 stars 114 forks source link

Passcode persists between app installs #78

Closed pouriaalmassi closed 7 years ago

pouriaalmassi commented 8 years ago

A passcode set by the user will persist after the user has removed the app and reinstalled. In effect this means that someone who removes the app then reinstalls at a later time will be presented with the lock screen and is required to enter the original password.

Steps to reproduce

  1. Given an app that has implemented VENTouchLock set up a passcode.
  2. Remove the app.
  3. Re-install the app.
  4. Re-launch newly installed app.

    Expected Behavior

    • User should not be prompted for passcode set in a previous install.

      Actual Behavior

    • User should is prompted for passcode set in a previous install.
ericlewis commented 8 years ago

+1

dasmer commented 8 years ago

This is actually expected behavior. On the Venmo app, we don't log you out if you delete the app either. It's particularly annoying to re-log into all your apps after updating to a new iPhone and thats why keychain via iCloud is great.

We persist your passcode so that a malicious user cannot delete your app and reinstall it to bypass the passcode

ericlewis commented 7 years ago

@dasmer that makes a ton of sense. You just gave us some extra work, thank you :)

ericlewis commented 7 years ago

expected behavior