Password Recovery System for Mobile App

NOVASOLUTIONS.TECHNOLOGY is engaged in the development, support and maintenance of iOS, Android, PWA mobile applications. We have extensive experience and expertise in publishing mobile applications in popular markets like Google Play, App Store, Amazon, AppGallery and others.
8+Years of work900+Completed projects100+In house employees19+Partners
Development and support of all types of mobile applications:
Information and entertainment mobile applications
News apps, games, reference guides, online catalogs, weather apps, fitness and health apps, travel apps, educational apps, social networks and messengers, quizzes, blogs and podcasts, forums, aggregators
E-commerce mobile applications
Online stores, B2B apps, marketplaces, online exchanges, cashback services, exchanges, dropshipping platforms, loyalty programs, food and goods delivery, payment systems.
Business process management mobile applications
CRM systems, ERP systems, project management, sales team tools, financial management, production management, logistics and delivery management, HR management, data monitoring systems
Electronic services mobile applications
Classified ads platforms, online schools, online cinemas, electronic service platforms, cashback platforms, video hosting, thematic portals, online booking and scheduling platforms, online trading platforms

These are just some of the types of mobile applications we work with, and each of them may have its own specific features and functionality, tailored to the specific needs and goals of the client.

Offered services
Showing 1 of 1 servicesAll 1735 services
Password Recovery System for Mobile App
Medium
from 1 business day to 3 business days
FAQ
Our competencies:
Development stages
Latest works
  • image_mobile-applications_feedme_467_0.webp
    Development of a mobile application for FEEDME
    756
  • image_mobile-applications_xoomer_471_0.webp
    Development of a mobile application for XOOMER
    624
  • image_mobile-applications_rhl_428_0.webp
    Development of a mobile application for RHL
    1052
  • image_mobile-applications_zippy_411_0.webp
    Development of a mobile application for ZIPPY
    947
  • image_mobile-applications_affhome_429_0.webp
    Development of a mobile application for Affhome
    862
  • image_mobile-applications_flavors_409_0.webp
    Development of a mobile application for the FLAVORS company
    445
Show more works

Developing Password Recovery System in Mobile App

Password recovery — one of most vulnerable flows from security perspective. Yet often implemented carelessly: "sent email — not our responsibility next". Reality is mobile side bears responsibility for several critical moments.

Vulnerabilities often missed

User enumeration. Form "Enter email" should not reveal if address registered. Message "If email registered, we'll send letter" — standard practice. Message "No such user" — account info disclosure. Some projects consider this minor — but with GDPR this potentially problematic.

Rate limiting on client. "Resend" button should be disabled for 60–120 seconds after click. Without this user (or script) can spam-bomb someone else's email with recovery letters. Rate limiting needed on server too, but client shouldn't facilitate attack.

Deep link security. Recovery link like myapp://reset-password?token=xyz — must handle correctly. On Android without configured App Links with Digital Asset Links, any app can intercept custom scheme. Use HTTPS Universal Links (iOS) and HTTPS App Links (Android).

Main flow

  1. User enters email → "Recover" button (disabled until valid email).
  2. Request to server → show "Check email" regardless result (no user enumeration).
  3. Email has one-time token link and expires_in (usually 15–60 minutes).
  4. User taps link → app opens via Universal/App Link.
  5. Token from URL → "New password" screen.
  6. User enters password twice (or once with "show" button).
  7. PATCH/POST to server with token + new password.
  8. Success → auto login (get access/refresh tokens) → main screen.

Deep link handling in app

If app not installed — link should open web version (App Clip or just web form). Configured via Associated Domains + apple-app-site-association (iOS) and App Links + assetlinks.json (Android).

In SwiftUI + AppCoordinator:

// SceneDelegate or App with @main
.onOpenURL { url in
    guard let token = url.queryParameters["token"] else { return }
    coordinator.navigate(to: .resetPassword(token: token))
}

Pass token to Reset screen ViewModel, don't keep in URL or nav stack longer needed.

New password screen

SecureField with "show/hide" button — standard. textContentType(.newPassword) on iOS suggests Keychain password generator. Helpful — let user take generated password rather than "qwerty123".

Password strength indicator — colored bar with real-time calculation. Use zxcvbn (has Swift and Kotlin ports) — more honest assessment than "has digit + letter + symbol".

After successful change — invalidate all active sessions (server task, but mobile app should accept new tokens and remove old from Keychain).

SMS-recovery alternative

OTP on phone instead of email link. Pros: don't wait for email, don't depend on spam filters. Cons: SIM swap attack — attacker re-issues number and intercepts OTP. For high-sensitivity apps SMS recovery without extra factor insufficient.

Timeframe

Full password recovery flow (email form, deep link handling, new password screen, auto-login) — 4–7 business days per platform. Setup Universal/App Links + Apple App Site Association if not done yet — plus 1–2 days.