Non of the keys that are stored in the keychain are readable in plain text, they need to be decrypted with salts that are built into the binary itself.
The tokens can always be extracted, and the attacker can then reverse-engineer the hashing by downloading the binary on their own machine and reversing the encryption.
I think on the Touch Bar MacBooks you could set some attributes on the keychain entries to enforce Touch ID before revealing the tokens, which would make it actually secure by having the OS enforce that, no matter which app is trying to access the tokens, as long as it doesn’t have root access.
Either way, it’ll be 100% optional - If you don’t want that extra step, you don’t need to!
As I said, not bulletpoint - I do appreciate people questioning the security though! If you see room for improvement then please do shout (or DM me)!
Fantastic idea, had noticed the APIs - I’ve added it to my notes to investigate when I get to the point of putting a wall in front of the app! Thanks again
Todays priorities has been getting things ready for the first round of testing
Enable "Check for updates… functionality
Pending preferences pane to allow opt-in for beta builds too (Obviously the first one will be beta anyway)
Add “Submit Feedback” dialog which allows you to report bugs, suggest ideas and provide general feedback
Add a system for detecting crashes and exceptions, allowing for those sorts of bugs to be fixed much quicker!
Renamed the app, replaced the app icon and other minor tweaks
This change was asked for by Monzo staff, as it looked too official
This hasn’t been completely confirmed yet, and is subject to change
Also for the sake of convenience, I’ve set up a super quick Google Form in order to receive beta builds!
The application is being built to be as simple to use as possible, so this is limited to just technical people - but as with any totally new application you can expect to see issues especially in the first betas!
–
I’ve sent a handful of builds of a “read only” version to people on the developer Slack and am already fixing some issues and making many improvements! Very exciting, and the feedback has been amazing
Preferences and OSS Acknowledgements pages have been added
Images have been compressed reducing overall application size
Updated some of the documentation within the app
Defined placeholders throughout the application
Fixed the app icon I made earlier because it wasn’t centered and it was really annoying me
Added a hover state and pointer cursor to make it more clear transactions are tappable!
Some big changes this evening as I change focus a little bit, having discussed with friends I worked out if I bought some things forward (work that was planned as part of beta 2) then it would make other things go a lot quicker!
As such I’ve transitioned all transactions to a new system which allows for caching, easier refreshing, and most importantly live updates of UI when you make changes!
Introduced drag and drop image/attachment upload on a single transaction
Allow users to delete attachments
Speed increase to transaction list view
Support all currencies in all places (meaning support for non-GBP accounts)
Fixed issue where help messages didn’t marry up with actual checks (causing confusion)
Might not sound a lot, but under the hood a lot has changed and it should make further changes much easier!
Also big thanks to the couple of alpha testers who have been looking at the “read only” build and reporting issues! Will be contacting more people soon enough!
–
Update 6th July
Added support for keyboard shortcuts throughout login flow (Copy, Paste, Select, etc)
Basic account switching functionality without needing to reboot the application
Use cached transactions to speed up initial launch, only waiting for newer transactions before showing
Modifications to Keychain means fewer requests to unlock your keychain (prevents about 5 alerts on startup)
Refresh and account switching work is still pretty basic and will evolve through the next few betas to make it quicker and more reliable!
Having a lot of great feedback and successes using the beta version of the app which is great to hear. I’ve also created a public GitHub project in order to make it clear some of the things I’m working on and let people contribute original ideas, feedback on existing things or just plain bugs!
Happy with the number of testers for now, but will happily send it on to more people once I’m ready with the third build containing even more functionality and hopefully some nice design improvements!
Just replied on Twitter - great to see your interest!
Authentication is handled completely in app (apart from the mandatory email link) as apposed to jumping out to Monzo’s solution. I’ve not had any fuss about this from Monzo themselves, but that’s not to say they won’t try to avoid people doing it moving forward.
The notice about “this not public, don’t do public apps with it” is more of a warning in my opinion. Monzo have realistic limitations (like only collaborators, etc) to prevent excessive public apps.
I am in communication with Monzo and they seem to be quite happy with what I’ve produced (mostly) but I’ll be sure to let you know if that changes!
It’s worth noting that I’m building this completely in the mind that APIs will completely change and probably break massive parts of this. E.g. Pot Goals were broken for a while, but luckily this was recently just fixed by Monzo after I (and a few other people) raised the issue!
Hey James, Is development still ongoing on this application? I really like the look of it and would be keen to test it out if youre still working on it? thanks
I’ve had quite a few people asking for the functionality I’ve been providing but on Windows and Linux too but this wasn’t possible with the native approach I took and didn’t particularly fancy going down the route of a universal platform.
With that in mind I’ve changed direction a little and am working on an equally powerful (actually more so, in ways) online banking experience!
More information will be provided once it’s ready!
Any chance to get the source code of the native macOS version? If you don’t want to work on it I’m sure someone else would like to pursue the adventure.
Unfortunately I don’t plan on doing this, as mentioned throughout this thread and other discussions the whole project started as a challenge to myself as I’d never done macOS development before. I made quite a few mistakes which made it incrementally more difficult in places as I continued, I wouldn’t want to use it as teaching material or even a platform for other people to improve on unless I was to do some major refactoring!
Learned a lot, and have already been putting it to use in a different app (not fintech related)!
A lot of the major complaints I received was “but I don’t own a Mac!?” so I’ve been working on an online version in the background with more powerful capabilities.
To answer your question more directly though, the desktop version isn’t going to be updated - sorry about that!
News will hopefully follow about the other Monzo projects I have in the pipeline
If you are developing a web-based application for Monzo have you thought about using the Electron framework so you can quickly port the web based version to desktops for both mac and windows?
)
)
Thanks again for all the love and support
about the other Monzo projects I have in the pipeline