Secure, fast and easier Google Login

When we first added Google Plus Login to Instacart Android app, we saw 40% of users jumping on it to sign-in and sign-up. Since then we were on the lookout for opportunities to make this flow better. After getting an early access to new Google Login SDK (as part of 8.30 Play Services) three weeks ago, we revisited the implementation, drastically improving UX and making it even faster than before.

No additional permissions

First of all, new Google Login SDK doesn’t require for application to get GET_ACCOUNTS runtime permission from user, which greatly simplifies the flow on Android M.

Faster and secure login

Early on, we decided that users shouldn’t remember how did they create their accounts with us (email, Facebook or Google). Using Google or Facebook, we would obtain user’s email, check it against our database and if account with such email already exists, we would login user into an existing account

Upon login in with former SDK, Google would give us some details about user. However, as communication between the phone and the server is easy to intercept, we wouldn’t trust Android app to tell us “User logged in with Google” and send us an account name it wants to login with. Thus, we only sent access token to the backend, so it would contact Google servers directly on a secure connection. Unfortunately, with old API, for our server to talk to Google servers, we needed to obtain a separate user consent.

Using new API and an “id token” we were able to create a fast and secure flow. Id token is an obscure name for JSON Web Token carrying user information signed with Google private key. We now obtain id token from Google Login SDK, verify the signature on the backend and use the information carried by the token to identify the user. This is a faster flow, since a) no additional consent is required b) Google changes its keys once a day and in most cases we don’t need to make any additional network requests on the backend.

Thanks to jwt-ruby library backend implementation was really simple. Apparently, id tokens were supported by Google SDK for a while, since our iOS developers were able to take advantage as soon as they learned about the trick.

Reduced boilerplate

Using anything involving Google Play Services usually resulted in boilerplate code intended to manage connection to Play Services app upon different stages of Activity/Fragment life-cycle.
New SDK takes care of the life-cycle synchronization and allows you to concentrate on the login process itself.

To conclude, new Google Login SDK removes a lot of friction and allows for a secure integration with much less effort. As it is the most popular login method for Instacart, we took advantage of it as early as possible and are looking forwards for a decreased conversion due to better UX and improved speed of the new flow.