Bug Report - Android v2.2.1

What’s New:

  • We have made Curve even safer! You can now use biometric authentication (fingerprint & face ID) to log into your app and access certain features instead of entering your passcode.


  • When spending your Curve Reward points, your spend insights will be correctly calculated.
  • General UI and performance improvements.

We appreciate all your help and feedback on bugs so we can deliver the best possible experience. Our product team is actively participating in this topic to incorporate your feedback.

When reporting a bug, please:

  • Check whether it is already reported in the list below
  • A screenshot and short description
  • Details on how we can reproduce it
  • Which OS, device and app version you have

I just went BiT on a transaction.
Completed successfully.
Then noted transaction still showing on initial card. Nothing showing on new card selected.
Pulled down to refresh (and note ‘spinner’ is black rather than white when doing this so difficult to see - same issue as ‘?’ below) - no change to card activity.
Then exited and re-entered app - now showing on correct card.

NB also noted that the ‘?’ after “You saved XX in FX fees” is black on dark blue background - should be white as per other text.

It’s not really safer given that you can still fall back to passcode if your fingerprint doesn’t work.

It is more convenient though :+1:

Although I never used to get asked for my passcode at all when going into the app, now I have to used my fingerprint everytime! Not necessarily a bad thing but certainly quite a change for me from previously.

1 Like

This is the case with all forms of fingerprint authentication that I have used across my personal devices. If your fingerprint was not to work what would you prefer to see happen, from a security perspective, instead of being asked to enter the passcode?

1 Like

Yep, and I think this gives the best mix of security and convenience. All I’m saying is that the statement that this makes it more secure is incorrect. Any system is only as secure as its least secure access mechanism, so in this case it’s just as secure as only having a passcode.*

This may not seem like a big deal, but with security, how you communicate about it is as important as the system itself, as most failures of security are due to users. For example, I could imagine someone reading these release notes and thinking they can make their passcode 0000 since their fingerprint apparently makes it safer anyway.

There’s nothing wrong with how the feature is implemented, but it’s a gain only in convenience, and should be communicated as such.

*If anything it’s slightly less secure as it introduces an extra potential attack vector.

One of the most popular feature requests that we have received from Android customers is to make fingerprint ID available for the app (as well as passcode), as they were rightly concerned about security when signing in. We understood this to be a problem and we were happy that this was added to this update.

We can’t speculate on individual customer behaviour as each one of is different. It is each customer’s responsibility to ensure that they keep their details safe, using the options provided. I will of course pass your feedback onto our respective development teams.

1 Like

Just to be clear, there is absolutely no issue with the implementation. It follows best practices of many financial apps, and the security of the app is fine. Personally, I’m very glad it’s been added. The fingerprint/passcode login in the app is great - no need to feed anything back to the development teams as they have done a great job with it.

The only issue is with the release notes - saying that adding fingerprint to passcode makes the app safer. Adding passcode made it safer, adding fingerprint on top of that (with a fallback to passcode) did not make it safer, but made it more convenient. The feedback should go to the copywriters, not the developers :slight_smile:

Thanks for your patience and willingness to engage :+1:


But the Android app previously didn’t ask for ANYTHING to enter the app - no passcode, no fingerprint. So surely this does represent a step up? Agree with your general point re relative security of these options but am not sure I’d take as much issue with the phraseology picked :wink:


New version available: Bug Report - Android v2.2.2