Universal Documents App from Readdle - bug - doesn't ask for TouchID or password

[Branaghan]

I discovered a bug in this app. It doesn't ask for TouchID or password randomly. Simply enters the app without any of the two.

I contacted the company and am still waiting for a reply. Until that happens I am not going to store private files there and advise you to avoid this, too.

I recorded the entire bug and sent the Dropbox video to them. As you can see I configured to request TouchID or password imediatelly. When you stop using the app and do something else (leaving in the background), then you return to the Readdle app it should ask for authentication again.

The video proves it is only doing when we force-close.

How to Force Quit Apps on an iPhone or iPad

Dealing with an unresponsive app on your iPhone or iPad? We'll show you how to fix it!

www.howtogeek.com

Video:

BUG DOCUMENTS READDLE.mp4

Shared with Dropbox

www.dropbox.com

Tested on the IPP 10.5, with last iPADOS and last version from this app.

 

[usagora]

That's interesting. The cloud file apps I use (OneDrive and Google Drive) by default keep you signed in indefinitely once you sign in the first time. I'm not even sure if they have an option to sign you out automatically. The only apps I use that do that are banking apps and 1Password.

 

[Nikita Tanchuk]

I discovered a bug in this app. It doesn't ask for TouchID or password randomly. Simply enters the app without any of the two.

I contacted the company and am still waiting for a reply. Until that happens I am not going to store private files there and advise you to avoid this, too.

I recorded the entire bug and sent the Dropbox video to them. As you can see I configured to request TouchID or password imediatelly. When you stop using the app and do something else (leaving in the background), then you return to the Readdle app it should ask for authentication again.

The video proves it is only doing when we force-close.

How to Force Quit Apps on an iPhone or iPad

Dealing with an unresponsive app on your iPhone or iPad? We'll show you how to fix it!

www.howtogeek.com

Video:

BUG DOCUMENTS READDLE.mp4

Shared with Dropbox

www.dropbox.com

Tested on the IPP 10.5, with last iPADOS and last version from this app.

Hi there, sorry for the difficulties you've faced! Can you tell me your email address in DM so I can find your request in our system and check how is the investigation going?

Looking forward to hearing from you.

 

[Branaghan]

Hi there, sorry for the difficulties you've faced! Can you tell me your email address in DM so I can find your request in our system and check how is the investigation going?

Looking forward to hearing from you.

Just sent you a PM.

I have seen this bug before, yet I thought this was a temporary issue or something wrong with iPADOs. However it appeared again as you can see in this video.

One thing I noticed is that you can't force Documents to not remember the last document opened. I wish it had an option to close all previously opened docs and never remembered history. If there is such option I don't know where it is. It's always preserving previously opened tabs when we use the app again. If this is to be changed then it should close them after X period.

For the bug to be fixed you need to force this app to always request for TouchID/passcode, regardless of the fact you put the app in the background to do something else (like checking your email), and returned seconds later.

One app that works as it should is this one:

‎Minhas Economias

‎O Minhas Economias é um gerenciador financeiro gratuito, simples e fácil de usar. Assim fica mais fácil saber onde você está gastando, fazer sobrar dinheiro no final do mês e realizar os seus sonhos! Então chega de montar planilhas e mais planilhas chatas para controlar suas finanças. Basta...

apps.apple.com

There are others I use which work the same:

‎nPlayer Plus

‎** nPlayer officially supports DTS (DTS HD ), DTS Headphone:X, Dolby (AC3, E-AC3). ** The 'Upgrade' In-App is just only for the users who already purchased nPlayer of the version 2.6.5 or the previous version. The first time buyer can use the full functions without any upgrade.(In-App purchase...

apps.apple.com

‎Mercado Livre: Compras Online

‎O aplicativo oficial do Mercado Livre! Você pode procurar e comprar o que quiser entre os milhares de produtos e serviços anunciados, de onde você estiver a partir do seu iPhone, iPad e iPod Touch, através de uma interface simples, rápida e segura. Disponível para Argentina, Bolívia, Brasil...

apps.apple.com

‎Mercado Pago: banco digital

‎Mercado Pago é seu banco digital completo. Com sua conta digital, basta deixar o dinheiro na conta que ele rende automaticamente. Você pode: ter cartão de crédito sem anuidade, fazer pagamentos e transferências via Pix, ter linha de crédito para parcelar sem cartão, comprar e vender...

apps.apple.com

Usually bank apps. "Mercado Livre/Pago" is slightly different: it lets you configure if you want TouchID/passcode to be asked imediatelly or after 1 (or 5) minute(s) of inactivity.

If you are browsing through sensitive documents in DOCUMENTS/Readdle then you would want "imediatelly".

 

[Branaghan]

Hi there, sorry for the difficulties you've faced! Can you tell me your email address in DM so I can find your request in our system and check how is the investigation going?

Looking forward to hearing from you.

I was about to say this bug wouldn't happen again, however it did with the "detailed log" feature turned on. I sent a few emails with 3 or 4 different logs, please take a look. Also in another GMAIL account I mentioned a 2nd video showing the bug happening.

Please consider if DOCUMENTS showing a previously opened file is what is bypassing the authentication. I believe whenever this bug occurs DOCUMENTS is ignoring the protection and displaying the file instead, so the app might be confused on what to do first. nPlayer, on the other hand, is always working, never saw a moment in which it didn't ask for my fingerprint to come back there.

 

[Branaghan]

I received last week a message from Readdle saying the following:

******
Please accept my apologies for not responding sooner.

We have registered the issue (when the app does not ask for a password) on our end. Our developers will definitely take it under the consideration and try to improve it in future updates.

In case you have more questions or ideas, please let me know. You help us to be better.

Have a great week ahead!

Best Regards,

Nikita Bikmulin
Readdle Team
******

After I contacted and sent the logs they needed. Please note this happened in iPADOs 15.0.

Since this issue isn't 100% fixed I'll avoid for the time being putting sensitive documents locally/inside the app. I was planning to do so once I discovered this peculiar way of Google handling accounts:

Google login problem with Drive and other apps

I noticed if you log into your Google account (which has Gmail, Drive, etc.) then you are also logged into your entire Apple (in my case iPAD Pro 10.5) device. I am not sure how this works, but if it is that way then this is a serious/huge mistake. Here's the thing: I was using the Google...

forums.macrumors.com

How to Sign Out of Your Google Account on All Devices at Once

This wikiHow teaches you how to remotely sign out of your Google account anywhere you're still signed in. Although there's no single button that lets you sign out of multiple devices at the same exact time, you can quickly sign out of...

www.wikihow.com

Since this is the case for Google then it means we can't use the Google Drive iOS app for accessing private files, regardless of the fact this app has internal protection (TouchID, which is asked imediatelly). We would need to do this in an app which is not logged in the target GOOGLE account, because if this phone is stolen then it means the iOS GMAIL app will reveal everything from the victim.

The GMAIL app has no internal protection (ask for authentication to be accessed). Another which doesn't have this that we all know: the EMAIL app from APPLE. Outlook, on the other hand, offers this: https://apps.apple.com/br/app/microsoft-outlook/id951937596

Ever since I discovered Google works like this - probably to justify locating and blocking Android devices - something we don't need with the iCloud/Apple ID - I am now only using a clean account in my iPAD. By clean I mean one that uses a fake name, birthdate, doesn't have a payment profile or emails which would compromise me and lead to something like this:

Two step verification and SIM jackers that empty bank accounts

This article sums up the problem: https://www.vice.com/en/article/3kx4ej/sim-jacking-mobile-phone-fraud Another one: https://www.thesun.co.uk/money/10670069/sim-jacking-fraud-rising/ I was discussing the other day about the methods used by thieves to gain control of these devices and empty...

forums.macrumors.com

If you happen to own any Youtube channel with hundreds of subscriptions, just create a 2nd one in this clean GOOGLE account and add a new playlist with all the videos or settings from it. What is important is to not let a compromised profile in your Apple device, so it would harm you if gets stolen.

Whenever I want to check my old GOOGLE account I log again and remove from my device the minute after. Same for checking emails, which I now do using the browser.

 

[Branaghan]

READDLE has released a new version recently: 8.1.1, from Oct 12, however it hasn't detailed what changed.

‎Documents - File Manager App

‎Documents is the super app for iPhone & iPad. Read, listen, view and annotate almost anything you want on your iPad and iPhone. Files, documents, books, and any content is at home in Documents by Readdle. The Documents app is the most capable application on your iOS device. It’s the hub for...

apps.apple.com

 

[Branaghan]

They told me via email this issue has been fixed. I'll be checking to see if it has been solved. Below is a copy from the email sent this week:

A sincere and genuine thank you for your patience!

We are glad to tell you that our team has already fixed the issue you've faced (Passkey lock doesn't work consistently) and implemented it in the last app updates. May I ask you to update the app to the 8.1.4 version and check whether it remedies the situation?

In case any issue with the app persists, kindly ask you to inform me right away. We will do our best to assist you shortly.

 

[Nikita Tanchuk]

They told me via email this issue has been fixed. I'll be checking to see if it has been solved. Below is a copy from the email sent this week:

A sincere and genuine thank you for your patience!

We are glad to tell you that our team has already fixed the issue you've faced (Passkey lock doesn't work consistently) and implemented it in the last app updates. May I ask you to update the app to the 8.1.4 version and check whether it remedies the situation?

In case any issue with the app persists, kindly ask you to inform me right away. We will do our best to assist you shortly.

Hi there! I've completely missed this thread, please accept my apologies. Can you tell me whether the latest update fixed your issue?

 

[Branaghan]

Hi there! I've completely missed this thread, please accept my apologies. Can you tell me whether the latest update fixed your issue?

Indeed it fixed, I haven't noticed the same bug mentioned before.

Now I can put all sensitive documents back there again. The bug I explained in the first post was due to this app not requesting TouchID authentication immediately after we minimize the app and go do something else. It was always open randomly. Now it's closing itself as it should.

The inactivity period can be defined by the developer of said apps. For example, this one:

‎Raivo OTP

‎Open the app in one tap, sign in with FaceID and copy your one-time password to your Mac in one tap with the Raivo OTP MacOS receiver. Using a one-time password manager has never been easier! ## Features: • Backup/sync one-time passwords to iCloud. • Search through your one-time passwords in...

apps.apple.com

Works even better than what you put in Documents:

It requests TouchID/password even during use, not just when you "minimize" its window. It can be configured to:

20 seconds
30 seconds
1 minute
2 minutes
5 minutes
10 minutes

This is the first app I've seen working this way. During use normally no app would close itself, so it would stay open forever. Now I can't tell if the two things can be separated and configured differently, if you can set for example 20 seconds after minimizing the app window and during use. Probably not.