FaceID in iOS Simplifi App broken

2»

Comments

  • KP_9
    KP_9 Member ✭✭✭

    Hi @Coach Natalie, I am seeing the same behavior as dalain reported. My FaceID settings are also enabled and set to "Immediately," I'm running iOS 17.3.1 and Simplifi 4.18.1 (34444), and am seeing the same inconsistent-FaceID-at-launch as reported above.

    I ran these sequential tests to see if the differing behavior might be tied to length of time between last session & relaunching the app after quit. Here's what I observed:

    • Quit, wait 1 minute, relaunch: No FaceID prompt
    • Quit, wait 2 minutes, relaunch: No FaceID prompt
    • Quit, wait 10 minutes, relaunch: Yes FaceID prompt
    • Quit, wait 5 minutes, relaunch: Yes FaceID prompt
    • Quit, wait 10 seconds, relaunch: Yes FaceID prompt
    • Quit, wait 5 seconds, relaunch: No FaceID prompt

    The behavior isn't consistent - after the first three tests, I suspected there might be a time threshold (below X time wouldn't trigger a reauth even though the app had been quit), but the later tests didn't track with this theory.

    Regardless, there is clearly an issue with access control. For users with FaceID enabled (any setting, immediate or delayed), upon the first launch of the app, there should always be an initial authentication & authorization check before the mobile app retrieves and displays that user's data. Many users' reports here show that isn't always being triggered, which makes this high priority.

    The Simplifi developers need to conduct a thorough access control code review of the mobile app flow (and ideally, all apps - if access control is a problem here, it might be in other places too) and find where the auth logic/enforcement has been improperly or incompletely implemented. Proper practice is to check authentication and authorization server-side (never client-side) on every request - your Dev & Security teams should trace the logic carefully together to ensure that is indeed the case.

    Please pass along these references on authentication and authorization best practices that the team can check against during their review:

  • Coach Natalie
    Coach Natalie Administrator, Moderator admin

    Hey everyone, I went ahead and filed a ticket for this issue using the information that's been provided thus far, and I will let you all know when we hear back.

    @KP_9, thanks for the testing and outline. I used your case as an example, however, it would be really great to attach logs. Do you have access to the Quicken Simplifi Web App where you can use the 'Send Feedback' option to submit those to us?

    1. Log into the Quicken Simplifi Web App.
    2. Select Profile from the left-hand navigation bar.
    3. With the Profile menu open, hold down the Option key for Mac or the Alt key for Windows, and then click Send Feedback
    4. Leave all boxes checked, add a brief description of the issue, and then click Send.

    Thanks!

    -Coach Natalie

    SIMPL-19832

  • kis87988
    kis87988 Member

    Yes, I have facing exactly the same iss. @Coach Nicole , your soluntion doesn't solve any o these problems.

    This is very high for the security issue. It doesn't require faceID when you complete quit the app and open the app.

    The only time faceID will prompt is open the app and go to other app but not complete quit/close Simplifi. Next time enter the app will work.

    This should not be the right behavihor of the app.

    I would fee this is very important security issue Quicken should take as high priority.

  • CS0077
    CS0077 Member

    I deleted the app from my phone because it is not secure. I only use the website. I am considering changing services when the trial period is over if this isn't corrected.

  • RobWilk
    RobWilk Superuser ✭✭✭✭✭

    If you secure your phone with a lock screen, and don't routinely hand your phone over, it really shouldn't matter much.


    Rob Wilkens