One of our customers wants our mobile app to log out the user after 15 minutes of inactivity because of SeCuRiTy…

Why? The phones protect the apps with their hardware encryption from any malicious access.
And we are not dealing with super sensitive data here like some banking app or so.

Why do some people want to have bad UX for no reason?

You're assuming the phone's hardware does the encryption (some of them do it in software) and the OS has to hold that open regardless for various reasons, so that's inevitably defeated with one small exploit. For things like banking, you should fail secure as much as absolutely possible, even at the cost of UX.

Generally, with security models, you should never *assume* you'll be protected by whatever hardware or OS feature. Plan and implement like you're running on malicious hardware and a malicious OS.

@Parzi why would I assume running on malicious HW or OS? If that would be the case, there is nothing you can do anyway. The security has been breached already.

Let‘s assume that we actually have an app with sensible data like a banking app.
In order for the proposed 15 minutes session timeout to make sense, users would need to open the app, log in, then keep their device unlocked for 15 minutes by actively preventing it from becoming locked automatically, all that while actually not triggering anything in the app that counts as activity so that they are logged out after 15 minutes as requested, then shortly before the 15 minutes run out, let someone else with malicious intents get theirs hands on that device so that they can access your data.

This is a ridiculous use case that will never happen unless the user specifically wants it to happen.

@Lensflare My point was that being over-prepared for security is ideal. Lax security policies are the reason most companies get compromised.

You've also clearly never left your phone on a table etc. with a child or cat nearby. The whole "15 minutes to expiry" thing isn't necessarily about an attacker, either. If a cat jumping on a table is enough to accidentally lose someone a crypto investment or crash their DE, it's certainly enough to cause issues here too.

@Parzi I see that and I care a lot about security. But implementing that session timeout won’t help in neither case. The automatic device lock will protect you from the cat. The session timeout won’t.
Because the device lock will happen before the session timeout. And the action of the cat will trigger something that counts as an activity (if it’s going to do something bad) so the timeout won’t happen and is therefore not effective.

You see, we already have a system that is designed to protect us from a broad amount of cases. And the timeout is just a much weaker, additional layer on top of what already covers that cases. It’s redundant at best and UX destroying at worst.

In some site (not security critical at all) I often have to use I also get logged out after a few minutes
To make it extra annoying they forced 2FA which of course doesn't even work with the common authenticator apps

I think IT IS a bad request. Most phones lock automatically after ~1 minutes anyway. If a user is dumb enough to let it's banking app open for 15 minutes, and set his phone auto screen lock to over 15 minutes, add this feature won't save him either. The bad guy will simply use his phone freely before the 15 minutes mark.

I think it’s redundant but not necessary leads to bad UX. Most users won’t even notice there’s a timeout.

@neriald they will every time that they open the app again

@Lensflare yeah that’s annoying unless it’s some money managing app. Maybe your users will put up with it, toichid faceid etc helps 🤷🏻‍♂️

Has "Zero Trust" gone too far? "Minus One Trust" at this point?

@Khazbs wrong buzzword. It doesn’t apply here.

@Lensflare Well, shit!