Lessons learned bootstrapping an app with no login

3/23/2021

Prologue

While studying Computer Science Engineering at University I started to understand the implications and dangers of underestimating your digital security.
We usually don't care about it because we don't feel threatened, but it should concern you as much as keeping your front door locked at night.

Your data is as valuable as your physical belongings, if not more.

Did you know "123456" and "password" are among the most common used passwords?
Try them to sneak into your ex boyfriend's Instagram account, maybe you'll get lucky.

One day I took courage and spent 1 hour to review all my digital assets (email accounts, facebook, etc).
I got rid of all my nameSurnameYearOfBirth passwords, installed a password manager and enabled 2 Factor Authentication (2FA) whenever available.

I recommend to always enable 2FA because it provides an additional layer of security by requesting a temporary code (One-Time Password or OTP) in addition to your username/password, making it much harder for an attacker to break into your account (say you were the ex boyfriend from above).

The idea

After a few weeks I was pretty satisfied with my new setup: Dashlane (iOS, OSX) & Google Authenticator (iOS only), but I soon realised that not having the OTPs available on the Mac was a huge limitation.

You may be wondering why not using a single app for both passwords and OTPs. The answer is simple: would you keep your credit card and pin in the same wallet?

At the time there was no well known / trusted OTP Authenticator app sharing data across devices without relying on proprietary servers (e.g. Authy).
Therefore, I decided to build one myself and named the project after Obsidian.

Long story short, the app worked perfectly using the iCloud Keychain capabilities to let users share OTPs across iPhone and Mac without involving any server in between, except for Apple's.

As an entrepreneur I had reduced my risk by:

  • 1 - Leaving the security of the infrastructure to Apple
  • 2 - Preventing remote access to my users' data by design

As a user I had a secure and reliable way to manage my OTPs across my devices.

The icing on the cake was that it only needed an active Apple device to function, no login was required. This was a huge point for me and something I loved from Google Authenticator, to preserve my privacy.

Obsidian went live and I received a lot of positive feedbacks especially for the sharing capabilities, the privacy awareness and the fact it did not involved any proprietary server.

The pitfall

Fast forward to the end of 2020, I started feeling the app was becoming "old" and needed an overhauling, so I decided it was time for a change.
Over the years I had learned React/React-Native, so I got the insane idea of rewriting Obsidian from scratch using the new competences I had acquired.

I threw myself in the development and in few months I had a working version for both iOS and MacOS. I was pretty satified with the result and in January 2021 I officially released v6.0.
I was thrilled and couldn't wait for my users to update it and tell me how much of an improvement it was with respect to the old Obsidian.

It turned out it was not. Well, partially.

In my vision the MacOS app needed to move back to the dock (it was a menu-bar app) in order to become a sort of cockpit for your 2FA.
I imagined it wrong, and within the first 2 days I received almost a hundred emails from customers asking why the menu-bar solution had been removed.
It happened to be the killer feature that skyrocketed their productivity.

I realised in that moment that I had completely neglected to ask my customers what they liked or disliked about the app and ended up making a decision that was in disagreement with what they wanted.
In my defense: how could I have done it?
Due to the way Obsidian was build, to preserve users' privacy and data, I had little knowledge of who my customers were, let alone how to contact them.

Anyway, I acknoledged my error and worked hard day and night to release v6.1 with the menu-bar functionality back; believe me, doing that with a React Native app ported to MacOS with Catalyst was not a walk in the park.

Despite this minor stumble, I received a lot of nice feedbacks regarding the new update, especially for the brand new Clubhouse inspired theme (I'm joking, but the theme is available for real).

Looking back, I think that I could have come up with some way to ask my customers for a feedback prior to removing the menu-bar feature, for example:

  • 1 - using the 90-100 contacts that over the years asked me for support
  • 2 - sending an updated v5 with an annoying popup asking to fill a Google form
  • 3 - start messaging people who follow the app's account on twitter (@obsidianapp), asking for feedbacks

You probably may have even better solutions, feel free to reach out :)

Conclusions

I don't regret how things have gone, I'm happy I didn't violated my customer's privacy and learned that there are ways to ask for feedbacks even though you haven't harvested your customers' email.

If you have used Obsidian you may have noticed the possibility to Sign-In with Apple, be aware it is not for marketing purposes.
This was a technical constraint because Apple requires developers to have separate IAP (In App Purchase) for iOS and MacOS, so the reconciliation must be done on the developer side to transfer the purchase.

Apple Sign-In was the obvious choice to preserve the users' privacy: the only information I store are a random generated user id, the Apple's private email relay address (e.g. dfkmbs4u3r@privaterelay.appleid.com) and the subscription expiry date.

Lessons Learned

Here are a few things I learned along the way:

  • 1 - Never assume you know what your customers think or why they use your app
  • 2 - Never assume you know what your customers want
  • 3 - Privay must always be protected, if you don't need a login do not request it, but think about ways through which you can gather feedbacks from your users
  • 4 - Apple should definitely implement native global IAPs

Thanks for reading,
If you want to reach out feel free to message me on twitter @tommycarpi