Gregory's ServerSecurity has been a huge painpoint for the NUX (new user experience) here. It often is, but there are so many possibilities to make this suck a little less. Here are all of the security settings:
|
26 comments
 The lowest of low-hanging fruit is to allow time-based one-time passwords (TOTP) to let something like 1Password handle that for you. But ideally, they would forgoe this entirely and support passkeys. So with the changes so far, this is what onboarding could look like: Speaking of nonsense banking apps do, this drives me up the wall: After a cold start, it throws up the login screen and starts a biometric auth session. Entirely unnecessary. Determine sensitive parts of the app and require auth to unlock them for the rest of the session. And whenever `applicationWillResignActive` is called, the app will flicker out whatever screen you're looking at and replace it with a blank logo. Again, this kinda makes sense for sensitive screens. But beyond that, **it's just security theater**. This looks fucking awful: Moving onto the more skin-deep stuff. The app uses tab navigation: The selection state for a tab is just shifting from gray to red. If you grayscale the screen, it's the same shade. I'd give the selected tab a filled icon variant In the Overview tab, the header said "Good evening" at 4:30 PM. Whatever. I digress. I get three sections in this tab: Get rid of this tab, move upcoming bills into Insurance, and make it the default. Also, one of the "Hints & tips" was advertising new features in the app. When you tap the card, it yanks up a sheet with a card advertising a new feature. Why...why isn't this just the top level card. Why was this sheet necessary. I'm still waiting for my policy to kick in, so this card says pending. I'm baffled by this card. The status dot should be significantly larger. Also, there is no reason for the policy category to be in a chip. Put it loose in the card, no container. Just raw dog it. Right under that policy card, there's a prompt to visit the document center. This could probably use some better copy (why would I want to visit that? it sounds boring. what's in it for me) but the real thing I want to point out is error handling. If you're going to advertise something at the second-to-top level of your app, you better make sure it fails gracefully. I've done nothing weird to screw with the app AND YET it throws this ugly technical error at me. I'm guessing because I have no documents. Make an empty state. In fairness, there is an empty state when you dismiss that error and proceed anyway. I've slowed down the video to ¼ speed so you can see this animation: to make room for the segmented control, everything BUT the description slides down. But the description is the same copy 🤷♂️ Here's just a standard empty state. The description text is leading aligned, but the image and button are both centered. Easy fix: center the stack, center align the description text, reduce the prominence of the CTA. If you've used SwiftUI, you'll be familiar semantic toolbar item placements. destructiveAction, navigation, etc. These exist because we've been conditioned to expect certain button types in certain positions. So imagine my surprise when I saw Log out in the confirmation position Make log out a destructive bottom, position it to the bottom of the list, rename "Close" to "Done" and put it in the confirmation position. Boom, fixed your nav bar. There are a few screens where navigation titles compete with some arbitrary heading in the view. Avoid having two headers of the same visual prominence right next to each other. Okay. I've done enough free work for State Farm Insurance Inc. The point of this being: these are all papercuts. Nothing fundemental. Just little things that worsen the experience. Take some time to audit your project for these things. I promise you'll be better off because of it btw, Lickability (where I normally write these threads) did not endorse this or anything, this is literally just me kvetching about an app that has been forced into my life. more design threads are planned for @lickability as well as here!  @samhenrigold @lickability If you want to be angry about animation I suggest giving the Panera iOS app a look. Ordering something is like walking through tar. @samhenrigold I just signed up for the umpteenth EV charging plan. App asked me three times for phone number and address, sabotaging autofill of course. Anything car related seems to be bottom of the barrel.  @samhenrigold I appreciate seeing a nice critique. This all, to me, felt like a classic "we have 5 teams working on this app but no single person driving the overall UX or CX but we delivered software" situation. What happens when no one looks at the whole thing? Mostly this.  sam henri gold, you haven't seen real security theater in bank apps if you haven't used the Emirates NBD app. @grishka I secure all of my software by checking if the file path for Cydia exists and, if so, not letting my user access their money. @grishka this whole blog post I found while writing this thread is absolute poison. This doesn't secure anything, this just makes tinkering (and, in all likelihood, developing workarounds for a shitty app) more of a pain in the ass. https://medium.com/adessoturkey/ios-app-security-96c32ba4e036 sam henri gold, my thoughts looking at the jailbreak detection section: haha method_exchangeImplementations go brr @samhenrigold Along the same lines are those banking/brokerage apps that cue up a “You’ve been logged out” push/local notification if you don’t explicitly log out yourself. If I’m automatically logged out… that’s good! I don’t need to be told about it. @jeff In Fidelity’s app years ago, if you return back from the app switcher after any amount of time, it would sign you out and you would get a non-dismissable alert “You have been signed out. Please log back in." and you just couldn't dismiss it. you had to force quit the app. |
A lot of banks and similar entities have security setups like this. And that sucks big time. Because we know that SMS and email one-time passwords are not super secure, the onus is on the user to:
1. Have a random unique password, and
2. Not get SIM swapped or email breached