firebase-ios-sdk icon indicating copy to clipboard operation
firebase-ios-sdk copied to clipboard
verified publisher icon firebase

Firebase Authentication "survives" uninstall and reinstall

Open dkbast opened this issue 1 year ago • 3 comments

Description

This issue happens with the flutter firebase plugin, which to my understanding is based on this native implementation.

When uninstalling an app where a user is authenticated using firebase auth (e.g. email + pw) and reinstalls the app, the user is directly signed in with the old credentials.

Expected behaviour: When uninstalling the app, the credentials are also wiped. "Nobody" logs out before uninstalling an app. And especially in cases where the user want to avoid somebody else gaining access to their account and "just uninstalls" the app thats a huge red flag.

This has already been discussed here: https://github.com/firebase/flutterfire/issues/4661 but no solution has been found - the issue was closed with just updating the docs saying that this can happen, but thats not a good fix for the user.

Reproducing the issue

No response

Firebase SDK Version

flutterfire core 2.24.2, auth 4.15.3

Xcode Version

15.1

Installation Method

N/A

Firebase Product(s)

Authentication

Targeted Platforms

iOS

Relevant Log Output

No response

If using Swift Package Manager, the project's Package.resolved

Expand Package.resolved snippet 

Replace this line with the contents of your Package.resolved.

If using CocoaPods, the project's Podfile.lock

Expand Podfile.lock snippet 

Replace this line with the contents of your Podfile.lock!

dkbast avatar Jun 03 '24 10:06 dkbast

I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.

google-oss-bot avatar Jun 03 '24 10:06 google-oss-bot

Some ideas for a workaround or solution if it's decided to change this behavior from https://forums.developer.apple.com/forums/thread/36442

paulb777 avatar Jun 03 '24 14:06 paulb777

IMHO this is the behavior expected, I mean, if users want to be logged out, they must do the action. If you want to solve this issue in your particular case I would try to flush the keychain the first time you open the app after reinstalling it.

You can ask to authenticate the user again even if the credentials are still valid.

If your app needs any kind of double-check, it could use LAContext for example, or any kind of 2FA each time it launches. Remember that the keychain keys are stuck to the Apple ID.

The login process is a pain for most companies, each time you show the login you are wasting the first impression moment, I mean, for example selling digital goods, offering discounts, engaging the user with your app, etc, that ends in less profits.

jesus-mg-ios avatar Jun 14 '24 06:06 jesus-mg-ios