Developing a Mobile App for People with Too Many Passwords

|   May 12, 2016

Get EZ LinkRecently, we introduced you to EZ Link, our new Socialcast login feature. Right from your Socialcast web or mobile app, you just click a button to send yourself an email with a link that logs you into the Socialcast mobile app.

Today, we all have more passwords to remember than ever. We developed EZ Link to give our users one less barrier to getting work done.

[Missed our overview of the new Socialcast mobile login flow with EZ Link? Read it now.]

This was my first hybrid app development project, made more complicated by its interaction with email and redirects from our core server to the platform-specific mobile app. Here are my five top takeaways in developing it:

  1. Be sure your app doesn’t allow user enumeration.
  2. Leave enough space between clickable objects.
  3. Mobile OS detection isn’t that difficult.
  4. In iOS, you can programmatically open a specific email.
  5. Mobile testing is a lot easier if you can proxy to your development instance.

As a developer on this project, I’d like to share my mobile app best practices and reveal why the steps we took behind the scenes matter to the end-user experience.

Password Forms Trump Security Breaches

I still encounter apps or websites that respond to an incorrect login attempt with “no user with that email found.” This is an invitation for hackers to try different usernames until they get “password incorrect.” We need to avoid giving hackers a clue indicating that while the credentials aren’t correct, they might be partially correct.

For users, it might be frustrating to enter an email address on a “lost password” form (especially if they never get the password reset email because they incorrectly typed the email address). Any inconvenience is offset by protecting every user’s identity by not revealing whether what is typed exists in the database.

Our security team reviews any code having the faintest possibility of a security impact. I’m always happy to throw away any code that doesn’t pass security review and work with our engineering and product teams to find the safest approac

Can’t Click It? Then It Isn’t EZ

Developing a login process for a mobile app is a lot like giving a presentation: The first seconds are critical. I have seconds to get users to click the right buttons and direct them where they need to go. If they can’t read or click something right away, it’s frustrating, and I’ve lost them.

It’s easy to make bad decisions about how many items you can fit on a screen, especially so many different device sizes and screen resolutions. Be sure to leave enough space for clickable objects. You’ll rarely go wrong with spreading things out. The same thing goes for font sizes. I originally made some error messages way too small.

But First, iOS or Android

Have you ever used a mobile app that claimed to be smart, simple and almost all-knowing, just to have it ask you what device you’re using? Choosing an iOS or Android route during the app login process adds an unnecessary step, and it’s just not a good look.

Not being sure of the possibilities, we debated whether to ask the user to indicate iOS or Android upfront or to provide links to both apps in the EZ Link email (which is what we originally did).

Fortunately, it turns out that mobile operating system detection isn’t that difficult. Since the core server redirects the clicked EZ Link to the mobile device, we realized we could check the request’s User-Agent header to send the user to the correct app. It’s almost as easy as you might think.

iOS:                 request.user_agent =~ /iPhone|iPad/i

Android:           request.user_agent =~ /Android/i

Open Email Directly from Other iOS Apps

EZ Link Open EmailIn iOS, it’s a little known fact that you can programmatically open a specific email. Some curious software engineers (like this one and this one) noticed that starting in iOS 7, calendar events created directly from emails had an option to “show the message in Mail.” This revealed a heretofore unknown “message://” protocol. If you set an email’s “Message-ID” header to a specific value, you can use this protocol to create a link to it.

We leveraged this capability to include an option for iOS users to get redirected to their Mail app directly from the Socialcast login screen. After selecting “Get EZ Link” on the login screen, iOS users can then click an “Open Email” button on the EZ Link confirmation page. If the email arrives by the time the user clicks the button, the email itself will open.

A few caveats. Timing issues mean the email might not have arrived yet when clicking the “Open Email” button. So the best way to think of this feature is “open this email message” if it exists. Otherwise, the nature of this feature is “open the Mail app.” Also, the only default email client in iOS is Mail. Users of Outlook or other mobile email clients won’t be able to take advantage of this feature.

This App Was Tested on an Actual Device

Many users aren’t aware that often developers test apps using a mobile simulator environment, not on an actual device. This method is fast and convenient for the initial development phase, but beyond that, it leaves you with unknowns. How will your app interact with screen resolution or hardware that impact the user experience? What about real-world performance and memory usage?

Mobile testing is a lot more realistic if you can send the app your development instance. I’m an OS X user, so to help with testing I modified the iOS version of our mobile app to redirect the iOS simulator to my localhost endpoint. But eventually I need to test using a real mobile device. Pushing my in-progress code to shared non-production servers did the trick but took time.

Using SquidMan as a proxy server, I mapped my iPhone’s Wi-Fi connection to my MacBook Pro. Any development domains found in my “/etc/hosts” file redirected to my development server. Instead of using the iOS simulator, I could use my iPhone 6 Plus to run the app through its paces. I only wish I had discovered this sooner.

The Mobile App Experience Starts at the Login Screen

Socialcast Log InHere’s the biggest lesson I learned developing this mobile login flow: The login experience is just as critical to developing a good mobile app as the rest of the user experience. Enterprise security, ease of use, intelligence—it all begins when you first log in.

That’s why we developed an enhanced mobile login experience for Socialcast with EZ Link. Ask me a question and tell us what you think in the comments below!

 

Leave a comment

Your email address will not be published. Required fields are marked *

Connect with Facebook

Sign up to receive email communications regarding events, webinars, and product news.

What is Socialcast?

Socialcast by VMware (NYSE: VMW) is a social network for business uniting people, information, and applications with its real-time enterprise activity stream engine. Behind the firewall or in the cloud, Socialcast enables instant collaboration in a secure environment. Socialcast is headquartered in San Francisco, California. www.socialcast.com