Hacker News new | past | comments | ask | show | jobs | submit login

I really wish mobile app developers (especially those from iOS) would look at the AccountManager on Android and actually use it. You only ever need to enter credentials once and the AccountManager will store them. Apps can ask for tokens from the AccountManager so they never get the actual password. And new apps can be installed that add themselves to the AccountManager list (eg Dropbox, LinkedIn, Skype etc do this). This is how it should work.

http://developer.android.com/reference/android/accounts/Acco...

iOS drives me nuts. There was an old joke dialog years ago "Windows has detected that you r mouse moved. You must reboot for this change to take effect." The contemporary version seems to be "iOS has detected you want to do something. You must enter a password (yet again) for this to happen." I can't understand why people are ok with this - your password should be long and hard to type and hence virtually impossible to enter on a mobile device.

You can always tell the iOS apps that were ported to Android because they have their own UI for asking for your account information instead of using the system. They also almost universally believe you only have one of a kind of account - eg only one Google account. Who doesn't have multiple ones these days (school, work, personal etc)?




Not sure if you're actually an Android developer but I just ran into this issue while working on an app: AccountManager isn't really meant to be used as a standalone password store, it needs to be hooked into a SyncAdapter & ContentProvider in order to function properly. (http://stackoverflow.com/a/8614699/188197)

Its purpose is to allow the system-wide SyncManager to manage syncing data to/from a web service in the background. But if your goal is just to store user credentials somewhere, it's not necessarily the right place to do so, which is why I imagine some apps choose not to use it.


I am an Android developer amongst others. Note that the SyncAdapater/ContentProvider etc don't actually gave to do anything. And more to the point the writing of that code is the problem of whoever is providing the service.

As an example the Github app that came out the other did things right and installs itself with AccountManager. That means any app can now authenticate against Github without needing its own code.

I will admit that it isn't trivial to add your own stuff to AccountManager, but the important part is that it only has to be coded by that provider once (Github in the above example) not by every single app that wants to use it.


What are some cases where you've been asked for a password in an iOS app? I've only ever seen this for initial login with like facebook or instagram, and when updating apps (very annoying, I agree).


Does the browser count?

The iPad browser is a trainwreck in this regard. Not only doesn't it support LastPass or 1Password. It also utterly fails to remember passwords that were painfully entered manually.

For most sites it simply doesn't recognize the login at all. On some sites it works intermittently, often forgetting the password for no reason or the auto-fill not working reliably.

And don't get me started on HTTP-Auth. You can save those sites (by making a bookmark) but you get a phishing warning every single time you access it.

I have pretty much abandoned the iPad for browsing for this reason. The only time I fire it up is to lookup a movie on rotten tomatoes.

I'm still bitter this device was pitched to me as "the internet in your hands". It's not up to the task. Not even close.


By default auto-fill is off on the ipad, did you try turning it on for names and passwords?

(I agree that the default behavior sucks)


The AppStore. It's the worst offender.


Only problem I have with AppStore is that it requires my password for free downloads. Paid download? Hell yes, require my password if I haven't typed it in for 15 minutes.


I have kids. I'm happy they _always_ ask for a password... Free apps can be malicious e.g giving away location to parties unknown. But still you're right - this could be an option users can decide.


This is part of a deeper problem with most mobile OSes. I might give my phone to somebody so they can make a quick call or look something up online. However, I don't really want them being able to dig through my history or be automatically logged into my email etc.

If I had a child I'd want to be able to let them use my phone but only in a special mode that allowed access to a limited number of whitelisted websites & apps.


Schneier today:

http://www.schneier.com/blog/archives/2012/07/all-or-nothing... http://cups.cs.cmu.edu/soups/2012/proceedings/a2_Hayashi.pdf

But: yes.

I'd like my phone to offer a few different "shells" of access:

- Emergency calls.

- "Share" or "play" mode. Selected photos or apps.

- "Mobile" -- ready access to stuff I need, but not distractions (the "Car Panel" on some Android phones is somewhat like this, but I'd appreciate if it didn't encourage use while driving).

- "Full" complete and potentially immersive access.


There are currently a few projects ongoing with enabling VMs on smartphones. The way it was thought is that you would put your corporate stuff on a protected VM that would have no external app install, and the rest (games, social networks...) would be on the "fun" VM. That way, the company data would be better protected.


This isn't a popular sentiment but the way I solve this is not to let anyone borrow or touch my devices.


iOS 6 removes the needs to enter passwords for app updates. finally.


I haven't lied if I say it's one of the sweetest things I've found in iOS 6.


The good thing about the AppStore password timing out after 15 minutes is that you can hand your child the ipad/iphone/etc. and not get a surprise $5,000 itunes bill.


That's an edge case, though. Why not make it a configurable option?


This is definitely not an edge case. How many kids do you see at the grocery store with their noses in an iPhone will their parent(s) shop?

That said, it would be nice to have the option of telling the app to cache your credentials.


Edge case was perhaps the wrong term. It certainly is not a majority case. As I said- make it an option, everyone is happy.


Not the person who turns on the option to make their life easier and then complains because their kid spent $400.


?! Are you suggesting that everyone should be denied the choice because some people are unable to make informed decisions?


This is confusing authentication and authorization. Is this phone legitimately tied to this Apple ID? Yes. Is the owner of the account authorized to make such a purchase? No.

A short appstore PIN could solve this much more easily.


I'm not so sure having _yet another_ PIN for users to remember would be a good idea. And besides, a short PIN would be far easier to deduce by looking over a person's shoulder.


It is a configurable option (Settings -> General -> Restrictions)


Yeah, it's configurable between "Demand my password again if 15 minutes has passed" and "Demand my password again immediately." You can tell you're going in the wrong direction when you first have to "enable restrictions" hoping to relax the restriction. I take it you've never actually tried to configure this option.


Holy not an edge case Batman! That is most definitely a very common reason to timeout the password...


Oh my god that is so not an edge case.


How about using fingerprint scanner for authentication? Or face recognition using front-facing camera? It's 2012 after all.


The Samsung Galaxy S3 has face recognition. It can be unlocked using a photo of the user. Google Images search, point cam at laptop, bingo you're in.


They "fixed" this in JellyBean.


too many false positives.

Now, an SD card with a certificate plus face recognition might be ok ;-)


Why an SD card? The phone itself is already a portable device you control.


It depends on the app but at least in the areas I work (business apps relating to tracking money) I wouldn't assume that device authentication is sufficient.

But for biometrics, keep in mind that biometric systems are currently seen as the most subject to false positives of any authentication system out there with the possible exception of improperly maintained and insufficiently strong passwords.


How about each Google app I install? Or any app that has Dropbox integration? Or Trello. Pretty much every app is an island and doesn't know that you have already entered your username and password numerous times in other apps.


iOS 6 addresses this (system account management) for FB and Twitter.

The vast majority of Google account holders only have one account, you and the average HN user are atypical.


>The vast majority of Google account holders only have one account

as google apps for business and schools becomes more and more popular, this becomes more and more wrong. Tons of non-technical people have a personal gmail account and a school/work one.


And more do not.


Over time people are far more likely to accumulate more accounts. The longer someone has been on the net the more accounts they are likely to have. Making life difficult for this group of people doesn't seem sensible.

I love this article about an ecommerce site and requiring people to register: http://www.uie.com/articles/three_hund_million_button/

Note one statistic: Later, we did an analysis of the retailer's database, only to discover 45% of all customers had multiple registrations in the system, some as many as 10.

That puts the order of magnitude of people having more than one account around half. That of course doesn't mean that people have multiple Google accounts, just multiple accounts but Google is becoming increasingly pervasive being the email provider for companies, universities, organisations etc.


What kind of half-assed excuse is that for not implementing a good feature that's proven to work?


But they don't address it for Dropbox, Skype or random other services out there.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: