[Feature-Request] API for Developers to Add Device Lock Code to Apps
asked 2015-03-15 20:02:38 +0200
Now, many here (including me) have already requested that they would like it if particular apps could be password protected and only open when the right passcode is entered.
I noticed that if you have enabled device lock code and try to enable 'Developer Mode', Sailfish immediately asks you to enter the security code first. This is perfect, and I suggest that you extend this and offer it as an API for use in other apps too.
This way, if a developer wishes to add password protection features in his / her app, they can then simply call this API. (And it could work the same way it does now as in the 'developer mode' option - wherever the developer calls the API in the app, the phone device lock code should be asked from the user.)
Otherwise, developers may end up rewriting their own insecure version of this feature (or worse still, not bother because of the work involved). Another plus of such an API - as a user, I would trust (and expect) a Jolla API for this to be the more secure option.
Note: I still believe that as part of their initiative to secure Jolla, they should still offer a Sailish OS feature to password protect an app by the USER of the phone. But my suggestion here could provide a quick-fix temporary solution, and is, I believe, a useful feature for developers too as it makes their job easier.
Use case:
(1) Developer wishes to ensures that only an authenticated user (the phone owner) can open and use the app.
(2) Developer wishes to ensure that only an authorized user can makes changes to the app and / or access the app data.
My quick-fix suggestion is for use case 1.
As suggested above, extend the phone device lock code and provide it as an API for developers to add a simple authentication method for opening apps. The API only needs to provide a boolean value indicating whether the user entered the correct code. (The phone lock method can handle all user error . If the user taps 'Cancel' in the phone lock view, the API should automatically terminate the app that called it).
Pseudo-code -
/* call api */
user.authenticated = os.app.secure.open()
/* verify authentication */
if (user.authenticated == True) {
// run app
}
Use case 2 may need architectural change in Sailfish OS (for example sandboxing each app and its data like ios does). And encryption to protect user data and so on ...
(Please do read this post carefully before marking it as a duplicate - it sounds similar but it isn't.)
sifartech ( 2015-03-15 20:03:04 +0200 )editWhat do you aim to protect, allowance to start a binary or perhaps the user data of it? To be really effective, these should probably also implement access control or encryption, just asking password for certain apps sounds easy to bypass.
Pekka Vuorela ( 2015-03-16 11:47:22 +0200 )edit@Pekka Vuorela - Both. See 'Lock Application' and Restricted Mode for Sharing Phones for more info. I've also updated the OP with more information.
sifartech ( 2015-03-16 20:25:36 +0200 )edit