Pine

Facing a failed launch Pine reached out to us. At first they just wanted to know what state the app they wanted to build was in.

We did a full analysis of the app to see why the app was not working. What we found was unfortunate:

  1. Security Flaws: Stripe secret keys were exposed in the app bundle, meaning hackers could access Pine's stripe payment processing account.
  2. Unstable functionality: The apps relied solely on Firestore documents with triggers, which, when written without strict checks lead to many bugs.
  3. Exploitability: By repeatedly inviting users to join your group order you could deny them from use of the app. This could be done programatically at a large scale.
  4. Unstructured data: Pine is under constant development, meaning that migrations on a firebase firestore document database is highly undesireable.
  5. Hacky builds: To get the react-native based code to run there was deployed various build hacks.

After uncovering these issues, Pine wanted to know what could be done, and what time frame we'd be working with. It was clear that both apps would need significant overhaul. Not just from a security and stability perspective, but ideally also on the usability to really bring forwards his vision.

We went full steam ahead and got to work

We started by re-writing the stripe integration, and by removing and re-rolling private keys from the frontend. To do so, we setup an API server to handle all the requests from the frontend. All payments were verified by stripe sending secure webhook events to our server.

Next we wrote new API endpoints to cover the functionality of the firestore document triggers. This resulted in a way more stable functionality as the schema was defined instead of stuffed into a document DB without much care for the structure.

This however, uncovered a new issue. In firestore they had depended heavily on listening to documents on the frontend. To cover live updates we wrote a websocket based system to send out updates to participants in a group order.

Once we were building on a solid fundament - with defined data structures and an API to do the neccesary operations we startet working on the mobile apps.

One of the core things we figured out is that we could speed up builds and reduce numbers of errors by using more established dependencies. When we had cleaned up the merchant app actually did not need any native dependencies, meaning we could speed up our build process by more than 10x.

Lastly there was a process to integrate the services to make the interaction between the consumers and the merchants work flawlessly.

Interested in building something?