Pro App - user able to bypass Welcome / Email signin and go straight into the app

My app’s URL: Glide

I have a user on an iPad able to log into the app and bypass the email and terms & conditions
– I was sitting next to them

  • they had not logged into the app before with this email address
  • the app picked up their normal gmail address (not one they would create for testing)
  • there is no record of login - in the GSheets auto-populated login sheet
  • but the user has a row created in our app

This obviously would not be a good thing as I have a very confidential app. The user would not have access to any real data at this stage as I am using row owners and they do not have a complete profile. However, for GDPR and good record keeping processes, I have no record that they ever signed the Ts & Cs (because I know they did not).

thanks!

Bad problem!!!

1 Like

So, they did not log in, but the app still recorded their “normal Gmail email address”? There’s no way for the app to psychically guess your email address if you don’t tell it—perhaps they were already logged in?

Can you make this happen again?

Are you sure the user had never logged in before using that Gmail address?
If they had (from that device), and had never deliberately logged out, then the app would log them straight in.

Search the App: Logins sheet and see if that Gmail address is there anywhere. If it is, then that most likely explains what happened.

Also, maybe the person logged in using that same gmail acct from another device while in the chrome browser. If that’s the case chrome saves those settings and it may have just logged them in automatically.

I will check when I get home in 30 mins. It’s my son doing testing (his holiday job - his mother is a remote senior software team lead & engineer … so we have 20+ devices at home)

More to come - thanks!

I think we have tracked it down… maybe…
the user had access the system back on 12 March (when the app email login but no TC)
— but there is no record of the login in the App Sheet (not been touched, so only automatic log)

  • the user had logged in with gmail (if that is useful to know)

so maybe the data got stuck… as it was a very old login…

We then tested on different tablets (various iPad) - and all fine.
We tested on other devices (including old Andoird phones and tablets) - fine

He did go in via Telegram for his first and second visit today from the weird iPad - that was the browser (inbuilt) that displayed the URL. Might be another thing to think about.

K - thanks for looking!

3 Likes