An indie project for early 2010s internet addicts

͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­͏     ­

	The 2FA app that tells you when you get `314159` An indie project for early 2010s internet addicts Jacob Bartlett Mar 13 To celebrate Pi Day weekend, I’m offering a 31.4159% discount for a year on my monthly and annual plans! Get 31.4159% off for a year This was a pretty fun project: not only did I manage to tickle the part of my geek brain which loves spotting patterns; I got to handle some nifty processing, threading, and optimisation problems! Like all recovered edgelords who came of age in the early 2010s, I somewhat miss the heyday of image-boards like 4chan. They were the final bastion of the wild-west early internet before the nazis ruined everything. One of the classic memes was GET, where you’d take intense pride in correctly anticipating your randomly-generated post ID containing an interesting sequence of numbers. Check ‘em These days, now that all the normies have grown up and found jobs, the closest we get to the magic of yesteryear is multi-factor authentication codes. If you know, you know. The drudgery of having to re-authenticate with your bank, your email, or your cloud services. The little glimmer of joy when you get a really nice number like 787000 or 123450. Inspiration hit. These MFA codes use a common algorithm which refreshes every 30 seconds. We’re only exposed to a tiny sliver of the dubs, trips, quads, quints, and sextuples possible in our 6-digit authentication codes. As with all my indie projects, I had a singular clear vision around which I can build: What if your 2FA app told you every time a cool number came up? I knew what I had to do. If you love apps but hate reading, skip ahead to download Check ’em: The Based 2FA App today! The Proof of Concept I don’t need many moving parts to find out whether this works. Enter 2FA secret keys. Generate 6-digit 2FA codes locally. Send push notifications when quads/quints/sexts are generated. The Minimum Viable Product If the concept — getting notifications when cool 2FA numbers appear — holds up, then I could turn this into a real app with a few key features: Capture 2FA secrets with the camera. Store multiple 2FA codes Implement more numerical patterns. Let users choose which patterns they want to know about. I knew I was onto something: 90% of the people I explained this to thought I was a moron. The other 10% saw only sheer brilliance. That’s me: moron to some; genius to others. Building the Proof of Concept TOTP TOTP, or time-based one-time password, is a surprisingly simple concept. It’s an authentication process which uses two inputs: A secret key, stored on both the authentication service and your own device. The current time, or, more specifically, the number of 30-second intervals which have elapsed since unix time. An algorithm deterministically hashes these two inputs to create the 6-digit codes you know and love. This hashing algorithm is pretty cookie-cutter, found in Apple’s CryptoKit. Thanks to our friends at the Apple forums, here’s the full TOTP algorithm in all its glory: // CodeGenerator.swift private let secret = Data(base64Encoded: "AAAAAAAAAAAAAAAAAAAAAAAAAAA")! func otpCode(date: Date = Date()) -> String { let digits = 6 let period = TimeInterval(30) let counter = UInt64(date.timeIntervalSince1970 / period) let counterBytes = (0..<8).reversed().map { UInt8(counter >> (8 * $0) & 0xff) } let hash = HMAC<Insecure.SHA1>.authenticationCode(for: counterBytes, using: SymmetricKey(data: secret)) let offset = Int(hash.suffix(1)[0] & 0x0f) let hash32 = hash .dropFirst(offset) .prefix(4) .reduce(0, { ($0 << 8) | UInt32($1) }) let hash31 = hash32 & 0x7FFF_FFFF let pad = String(repeating: "0", count: digits) return String((pad + String(hash31)).suffix(digits)) } To make sure this worked right; I set up 2FA on my Google account, and displayed the secret in my app using the algorithm. Coincidentally, I got a damn good code with which to confirm my 2fa setup And, like magic (after some annoying base32 to base64 conversion), Google accepted my 2FA! Confirming the 2fa code Now that we’ve got the bare bones of our 2FA working, we can implement the final piece of the proof of concept puzzle: generating notifications. App Limitations Our key limitation lies in our mobile device. We can’t actually keep a background process such as 2FA generation running forever, and certainly can’t store user secrets on a backend push server. Therefore, to make this concept work, we have to be a sneaky: precompute 2FA codes into the future, and schedule delivery for the time at which they appear in real life. Additionally, we can only schedule 64 pushes on iOS at any time, so we should: Save a notification or two asking users to re-enter the app. Incentivise users to open the app via tapping the notifications, toggling a re-computation of the 2FA codes. Now we know how our POC will work, let’s get building. Finding our First GETs Let’s jazz up our lowly 2FA code. We plan to pre-compute many codes, then implement some kind of regex to detect whether each code is a GET — worthy of checking ‘em. My super-simple SwiftUI view can display these codes handily, using a UICollectionView-backed List to ensure decent performance (the vanilla VStack in a ScrollView would begin creaking far before 10,000 items!). // ContentView.swift struct ContentView: View { var body: some View { List { ForEach(makeOTPs(), id: \.self) { Text($0) .fontDesign(.monospaced) .font(.title) .kerning(4) } .frame(maxWidth: .infinity) } } func makeOTPs() -> [String] { (0..<10_000).map { otpCode(increment: $0) } } } Looking good so far. Initial list of 2FA codes Now, we can add a simple regex-based evaluator to check for trips — that is, a TOTP containing a sequence of three matching digits such as 120333. extension String { func checkThoseTrips() -> Bool { (try? /(\d)\1\1/.firstMatch(in: self)) != nil } } We add a fontWeight modifier to our Text views to easily detect these GETs when we’re scrolling. Text($0) .fontWeight($0.checkThoseTrips() ? .heavy : .light) Et viola! Check those trips! Check those trips! We can even make a basic modification to the our regex to detect the hallowed quads — I’ll leave this as an exercise to the reader. Check those quads! A Pointless but Interesting Observation Our careless ForEach implementation causes a warning: ForEach<Array<String>, String, Text>: the ID 312678 occurs multiple times within the collection, this will give undefined results! We actually get dozens of this warning! Using the code string as a view identity is a bad idea here Since we generated 10,000 OTPs, it’s extremely likely that several match — this is the same as the birthday problem, where the number of pairs of possible matches is well over a million. Producing Rare GETs Let’s start calculating some interesting codes. The key here is precomputing to look ahead into the future: TOTP is a deterministic hash of the secret and date inputs. Therefore, we can feed a long sequence of dates in the future to determine which OTP code you see at what time. Let’s adjust to our OTP generation to return both the code and date: // TOTP.swift struct OTP { let date: Date let code: String } func otpCode(date: Date = Date(), increment: Int = 0) -> OTP { let digits = 6 let period = TimeInterval(30) let adjustedDate = date.addingTimeInterval(period * Double(increment)) let counter = UInt64(adjustedDate.timeIntervalSince1970 / period) let counterBytes = (0..<8).reversed().map { UInt8(counter >> (8 * $0) & 0xff) } let hash = HMAC<Insecure.SHA1>.authenticationCode(for: counterBytes, using: SymmetricKey(data: secret)) let offset = Int(hash.suffix(1)[0] & 0x0f) let hash32 = hash .dropFirst(offset) .prefix(4) .reduce(0, { ($0 << 8) | UInt32($1) }) let hash31 = hash32 & 0x7FFF_FFFF let pad = String(repeating: "0", count: digits) let code = String((pad + String(hash31)).suffix(digits)) return OTP(date: adjustedDate, code: code) } To test this, let’s generate a ton of these codes, and search for the full-house of GETs: quints. func interestingCodes() -> [OTP] { (0..<1_000_000) .map { otpCode(increment: $0) } .filter { $0.code.checkThoseQuints() } } After some number crunching while my M1 runs the hashing function — about 30 seconds of it — we arrive at some seriously checkable GETs. It’s… it’s beautiful. Check ’em. Scheduling our Notifications Fun as it is to see great numbers, the app concept is no better than a random-number generating machine if you can’t really use the GETs in real life for your real authentication. Now that we know when the interesting numbers are arriving, we want to queue up a push notification so we catch the number live: // NotificationScheduler.swift private func createNotification(for otp: OTP) { let center = UNUserNotificationCenter.current() let content = UNMutableNotificationContent() content.title = "Quads GET!!" content.body = otp.code content.sound = UNNotificationSound.default let components = Calendar.current.dateComponents([.year, .month, .day, .hour, .minute, .second], from: otp.date) let trigger = UNCalendarNotificationTrigger(dateMatching: components, repeats: false) let request = UNNotificationRequest(identifier: UUID().uuidString, content: content, trigger: trigger) center.add(request) { (error) in // ... } } These are scheduled right after generating the interestingCodes we use in our view. A short while later, I got 2 wonderful push notifications at once! I still tell my wife every single time I get a subscriber This became more exciting when I confirmed this notification corresponded with the number appearing in reality! Finding quads in the 2FA app itself This app has now been elevated beyond a random number generator: this code really works for signing into my Google account. Interestingness To determine different types of interesting number, we need to introduce the concept of interestingness. This could include, non-exhaustively, a few potential kinds of number sequence: Repeated numbers Consecutive digits Other mathematically interesting numbers (e.g. pi or e) Palindromes These types of interesting number can be enumerated as… well, as an enum case, optionally created for each OTP we generate. // Interestingness.swift enum Interestingness { case sexts case quints case quads init?(code: String) { if code.checkThoseSexts() { self = .sexts // ... var title: String { switch self { case .sexts: return "Sextuples GET!!!" // ... func body(code: String) -> String { switch self { case .sexts: return "Check those sexts: \(code)" // ... Each checkThose method we use wraps a different regex, and we run them in order of what we care about most — for instance, sextuples is 100x rarer than quads. A long-overdue refactor later and we’ve created our proof-of-concept. Let’s recap: The app allows me to enter a (hardcoded) 2FA secret key. The app generates a 6-digit 2FA code locally, every 30 seconds. The app schedules push notifications that show up when quads, quints, and sexts are generated. I’m going to take a break to play with the app for a few days. I suspect I might have the basis for a cool app on my hands. Building the Minimal Viable Product I’ve been using the app, the bare-bones POC containing the kernel of my idea, for a few days now. And I LOVE it. I can’t wait until the first time I get sextuples. Now’s the time to add some meat on the bones and build a fully-fledged 2FA app around the concept. As I laid out before, this really only requires 4 major new features: Scanning 2FA QR codes and store them securely on the keychain. Displaying and managing multiple 2FA accounts in the UI. Letting users set the numbers they care about. Implementing more kinds of interestingness. Lastly, a non-functional requirement: I’ll need to do some work optimising the very slow code generation — maybe using batching or local persistence. Human Interface Guidelines I have no intention of doing anything fancy with the design — the standard apple List view components will take me far, conforming to the HIG out of the box. Let’s keep our UX nice and simple: I know the functionality primarily lives in the push notifications; and it’s pretty perfect. That means hiding the QR scanner and settings behind toolbar buttons that display modal flows. The basic List UI for my MVP Scanning 2FA Secrets A couple of open-source libraries will save me a ton of time on cookie-cutter tasks. CodeScanner to supply simple SwiftUI QR code scanning, and KeychainAccess to easily store these 2FA account secrets in the keychain. This scanner library uses camera access to turn QR codes into easily-parseable URLs like this: otpauth://totp/Google%3Atest%40gmail.com?secret=bv7exx7sltbcqffec1qyxscueydwsu5h&issuer=Google Now, we can easily get our accounts into the app! Check ’em: now with a QR scanner! Picking the Numbers You Like Using SwiftUI @AppStorage, alongside a List and some Toggles, we can easily build a user settings screen. Initial settings screen I used a closure in onDisappear to tell the parent view to begin number crunching again and re-schedule the notifications. This was the simplest way I to batch everything up, rather than running expensive computation each time a toggle changed. // CodeView.swift var body: some View { // ... .sheet(isPresented: $showSettings) { SettingsView(onDisappear: { viewModel.recomputeNotifications() }) } } Belated Customer Research Look, I’m an indie dev, I’m allowed to do this halfway through the build process! I decided to download a few other 2FA apps to see if there were any ideas I could copy. Frankly, I expected a pretty crowded and competitive app market, but some of these were truly terrible. The 2FA app space: mostly astonishingly bad Seriously, more than 50% of them threw up an extremely aggressive paywall before you could use them… when there are perfectly good free options. Does nobody make apps for fun anymore? Despite this paywall menagerie, I did manage to note down a few good ideas to borrow. My list of ideas to copy Multiple 2FA Accounts This is, of course, pretty critical for anyone that has more than one account. More accounts also means more opportunities for rare GETs! Updating my keychain code, now we can scan multiple QR codes, persisted our account data (including the secret), and they worked perfectly for logging me into my various accounts! I also implemented the proper built-in List functionality, so we can swipe-to-delete codes we don’t need anymore. While doing my competitor analysis, I discovered that the Google Authenticator kept all my 2FA codes from years ago, which I’d added on my previous iPhone! I realised then I was making two mistakes with my data layer. Not synching with iCloud Trying to persist Accounts outside the keychain Firstly, synchronising our keychain to iCloud means accounts appear on all your other Apple devices. This is a piece of cake with the Keychain Access library: // KeychainManager.swift self.keychain = Keychain().synchronizable(true) Secondly, I was suffering from shiny-object syndrome: in my haste to use SwiftData as a persistence layer, I was only using the Keychain for the secrets, and persisting the rest of the Account metadata through the new framework. This meant I couldn’t get my accounts on any other device — the secret on its own is useless! Therefore, I realised I had to place the whole Account on the keychain. My new approach keeps the QR code URL on the keychain in its entirety. Now, the Account object itself is ephemeral; re-computed from the URL every time the app loads. This means the Accounts can appear on any iDevice you’re signed in to! This ephemeral approach neatly kills two birds with one stone. Now we use the Accounts from the keychain when we need to fetch them at load: // AccountManager.swift func fetchAccounts() throws -> [Account] { try KeychainManager.shared.fetchAll() .compactMap { createAccount(from: $0) } } private func createAccount(from urlString: String) -> Account? { guard let url = URL(string: urlString), let account = SecretURLParser.shared.account2FA(from: url) else { return nil } return account } My code is a little bit spaghetti, but the final app was about 1,500 LoC in total — I’ll rebuild it using a proper DI framework when I want to write an article about DI. If you’re a junior engineer, please don’t try this at home! I did a lot of generic coding work to improve the UI and refactor the code nicely, but there were also a few gems in my development process that were pretty interesting. Finding Account Icons This is very much a nice to have, but the best open-source app did the same, so I felt I had to at least be as good as that. Fortunately, there is a little-known Google API which crawls the web for FavIcons on websites and allows you to download them at several resolutions. How do I work out the website? I found pretty good results by simply using the issuer property on the QR code and trying the .com. struct FavIcon { let url: URL init(issuer: String) { let domain = "\(issuer).com" let url = URL(string: "https://www.google.com/s2/favicons?sz=128&domain=\(domain)")! self.url = url } } Here I used the CachedAsyncImage library to get blazingly-fast loading performance on the icons. Images for each 2FA account I also added a Metal shader to handle background removal, and make the icon pop a little more. Here’s the SwiftUI View extension: // View+ColorEffect.swift import SwiftUI extension View { func eraseBackground(backgroundColor: Color = Color(uiColor: UIColor.secondarySystemBackground)) -> some View { modifier(EraseBackgroundShader(backgroundColor: backgroundColor)) } } struct EraseBackgroundShader: ViewModifier { let backgroundColor: Color func body(content: Content) -> some View { content .colorEffect(ShaderLibrary.eraseBackground( .color(backgroundColor) )) } } And of course the MSL shader code: #include <metal_stdlib> #include <SwiftUI/SwiftUI_Metal.h> using namespace metal; [[ stitchable ]] half4 eraseBackground( float2 position, half4 color, half4 backgroundColor ) { if (color.r >= 0.95 && color.g >= 0.95 && color.b >= 0.95) { return backgroundColor; } return color; } Here’s how they look. They’re not bad, but not amazing. Metal shaders to remove the white backgrounds on the icons I’ve started over-engineering. Let’s stick a pin in this and see how we feel later. Polishing the UI It’s working pretty well now as a basic 2fa app in its own right. Who would have thought that to be ahead of most of the pack, I just had to not have an extremely aggressive paywall ($4.99 per week? Seriously?!) After some boilerplate software development work on the timings, the basic UI, and the data storage, it’s really working quite nicely now — sticking to the basic SwiftUI components is a brilliant way to ensure stuff “just works”*. *and helps make everything accessible! I also implemented some nice QoL features I found through my competitor research such as tap-to-copy. I utilised accessibility tools like @ScaledMetric and ViewThatFits to ensure the app works great regardless of your visual needs. I even get light mode for free out of the box by sticking closely to Apple’s basic SwiftUI components and colours. // AccountView.swift @ScaledMetric(relativeTo: .largeTitle) private var iconSize: CGFloat = 36 private var icon: some View { CachedAsyncImage(url: FavIcon(issuer: account.issuer).url, content: { $0 .resizable() .aspectRatio(contentMode: .fit) }, placeholder: { Text(String(account.issuer.first?.uppercased() ?? account.name.first?.uppercased() ?? "")) .font(.largeTitle) .monospaced() }) .frame(width: iconSize, height: iconSize, alignment: .center) } private var code: some View { ViewThatFits { HStack(alignment: .center, spacing: 16) { codeText } VStack(alignment: .leading, spacing: 4) { codeText } } } Check ’em at the largest accessibility font size Making the App More Interesting(ness) To improve the true core value proposition, I implemented a lot more options for interestingness: Sexts, quints, and quads like 000000 Counting sequences like 012345 Hundred-thousands like 300000 Units like 000001 and tens like 000010 Maths constants like pi (314159) Physics constants like Planck’s constant, 661034 (6.6x10⁻³⁴) Palindromes like 012210 Repeated twos and threes like 121212 and 123123 Some of these were fun little leet-code puzzles to implement, some were annoying regexes, while some were very straightforward. func checkThatCounting() -> Bool { let characters = Array(self) for i in 1..<characters.count { if let prevDigit = Int(String(characters[i - 1])), let currentDigit = Int(String(characters[i])), currentDigit != prevDigit + 1 { return false } } return true } func checkThatPalindrome() -> Bool { self == String(self.reversed()) } func checkThoseRepeatedThrees() -> Bool { self.prefix(3) == self.suffix(3) } func checkThoseHunderedThousands() -> Bool { suffix(5) == "00000" } Probability Theory Now I’ve updated the Settings UI so that you can sort by either rarity (common, rare, and ultra-rare), or by type (such as repetitions, constants, sequences, or round numbers). Toggle on the Settings menu How do I calculate the probabilities of each rarity level? For perfect counting sequences like 012345, there are only 6 possible sequences (up to 567890) out of one million possible number combinations. 30 seconds times 1 million combinations, divided by 6 possible sequences, means for each account you might only expect a perfect counting sequence to occur on average every 5 million seconds — that is, every 58 days on average. This is pretty ultra rare. However, palindromes such as 123321, have 1000 possible 3-sequence numbers that make them up. This means you could see them every 0.34 days on average! Much more common. In the middle, something like repeated twos (e.g. 141414) have 100 possible numbers (00 to 99), so they happen every 3.5 days on average. So, pretty rare, but not ultra-rare. Some of these sequences, like quads, are a little tougher to number crunch, so it was simpler to generate tens of millions of OTPs and counting the incidence of each kind of interestingness, to get a feel for their relative frequency. Improving Performance The app can process 64 interesting 2FA codes quite quickly, but only when I have all the common Interestingnessenabled. When I only want ultra-rare GETs, the processing takes a long time. I need to invoke chunking — while crunching through millions of potential OTPs, returning and scheduling a notification as soon as a valid interesting code is discovered. My old friend the Combine framework gives us a neat solution! // CodeGenerator.swift var codeSubject = PassthroughSubject<OTP, Never>() func generateCodes(accounts: [Account]) { // ... codeSubject.send(otp) } I also used some Tasks so that we can cancel and re-start computation in case, for instance, a user changes their settings mid-processing. Detaching the tasks ensures the heavy processing for our crypto and string analysis operations keeps off the UI thread. // CodeViewModel.swift private var otpComputationTask: Task<Void, Never>? private var notificationSchedulingTask: Task<Void, Never>? func recomputeNotifications() { handleNotificationScheduling() handleOTPComputation() } private func handleNotificationScheduling() { notificationSchedulingTask?.cancel() notificationSchedulingTask = Task.detached(priority: .high) { guard await NotificationScheduler.shared.isAuthorized() else { return } NotificationScheduler.shared.cancelNotifications() for await (code, count) in CodeGenerator.shared.codeSubject.values { try? await NotificationScheduler.shared.scheduleNotification(for: code) } } } private func handleOTPComputation() { let accounts = accounts otpComputationTask?.cancel() otpComputationTask = Task.detached(priority: .high) { guard await NotificationScheduler.shared.isAuthorized() else { return } CodeGenerator.shared.generateCodes(accounts: accounts) } } Now the scheduling works pretty smoothly, coming out in sequence instead of a single large chunk! Scheduled repeatedTwos: 292929 @ 2024-02-25 23:33:30 +0000 Scheduled repeatedTwos: 878787 @ 2024-02-26 06:03:30 +0000 Scheduled quints: 666660 @ 2024-02-26 10:54:00 +0000 Scheduled quints: 255555 @ 2024-02-26 21:11:00 +0000 Scheduled repeatedTwos: 606060 @ 2024-02-26 23:27:00 +0000 Scheduled sexts: 666666 @ 2024-04-16 23:22:00 +0000 Scheduled boltzmannConstant: 141023 @ 2024-04-19 02:05:00 +0000 Scheduled counting: 012345 @ 2024-04-20 04:51:30 +0000 Scheduled planksConstant: 661034 @ 2024-04-20 05:38:00 +0000 The App Icon This was the one that got away killed me. I’m desperate to use the real check ’em meme for the app icon. It’s simply perfect. “Check ‘em!” However, my good friend pointed out that our friends over at Lionsgate films might be feeling a little litigious. But I had to have it! Perhaps there is hope after all: Lionsgate’s licensing page Unlike you, I have faith in the American copyright system. Partially completed form for requesting permission to use a still from a movie Now we play the waiting game. 16 days later… Crickets. I’ve lost all faith in the American copyright system. Goddammit, Bob Iger, whatever happened to fair use?! This is the best I could get from DALL-E 3. It has the wrong number of fingers, and it’s the wrong side of the hand, but after trying to prompt-engineer something better for several hours I am resigned to it. Check ’em: the logo DALL-E really didn’t like drawing the back of a hand. I tried. Final Touches The concept was proven. The app works well! Time for some polish and pet features before we show the world the joy of Check ‘em. I created a list of TODOs — new features and bug-fixes — that I could implement in my V1 before I made my first release. // High priority - // TODO: - Add ordering as a query item to the stored URL in the keychain // TODO: - Haptic buzz on refresh // TODO: - Only request push notifications when they have entered the Settings Screen // TODO: - Add settings link to enable notifications // TODO: - Bug - Ignore scanned duplicates in the view model accounts - don't append scans to accounts if it's already there // TODO: - Cancel processing tasks when opening Settings view // TODO: - Push notification deep links to an app review prompt, when the GET is still present // TODO: - Ultra-rare GETs not being sent?? Can't make them happen locally in simulator, but quints are fine - they appear to be queued // TODO: - Bug - Progress view doesn't appear on the second load // TODO: - Bug - Ignore scanned duplicates in the view model accounts - don't append scans to accounts if it's already there // TODO: - Bug - There's a bug where the percentage fluctuates up and down when there are 2 concurrent calculations // TODO: - Add TipKit to QR and Settings // Low priority - // TODO: - Use @SceneStorage for state restoration; so we aren't waiting ages for the keychain operations // TODO: - Look back/forwards one code // TODO: - Create a "collection" screen using deep links - collecting the seen GETs as stored items (with a dictionary on the keychain) Naturally, since I don’t have a product manager in sight, I immediately began work on the lowest-priority task: building out a collection with deep links — I don’t want my rare GETs to go to waste! Collections This piece actually helps with a problem we identified original proof of concept: we need to incentivise users to re-enter the app by making users interact with the notifications. Creating a collect-a-thon is a little tricky, because there are a few moving parts: Allow users to tap on notifications and deep link into the app. Securely store the interestingness of the code they tapped. Render these into a collection screen. Adding a deep link to the notification was fairly simple. // Notifications.swift // ... content.userInfo = ["deepLink": "checkem://\(otp.code)"] But, a little annoyingly, I had to create an AppDelegate to handle the notifications — SwiftUI doesn’t quite handle these well on its own yet. // AppDelegate.swift func userNotificationCenter(_ center: UNUserNotificationCenter, didReceive response: UNNotificationResponse, withCompletionHandler completionHandler: @escaping () -> Void) { let userInfo = response.notification.request.content.userInfo if let deepLinkString = userInfo["deepLink"] as? String, let deepLinkURL = URL(string: deepLinkString) { guard let code = deepLinkURL.code else { return } try? CollectionManager.shared.save(code: code) } completionHandler() } Finally, I lazily added a long, comma-separated list of stored codes in the Keychain. // KeychainManager.swift func storeCollectionItem(code: String) throws { var collection = try keychain.get(Constants.collectionKey) ?? "" if !collection.isEmpty { collection.append(",") } collection.append(code) try keychain.set(collection, key: Constants.collectionKey) } This was more a product of a desire to release fast rather than a well-thought-out engineering decision, one I will come to regret if my power-users approach the soft limit of 4kB per Keychain item (the hard limit is more like 16MB, so I should be okay!). This work paid off rapidly though, as the collection screen quickly started filling up with my rare GETs! Collection menu containing all your rare GETs I originally hid the collection until a user had tapped a notification, but I realised it was far more compelling to entice a user to collecting ’em all by showing them the menu option. Haptics The iOS 17 sensoryFeedback API gives us some extremely subtle haptics to play with, so subtle in fact that I didn’t like them. So I ripped out the Haptic Engine from Carbn and reused it here. I simply added a truly atrocious side effect to my existing refresh code: // CodeView.swift .onReceive(timer) { _ in let didChange = viewModel.refresh() if didChange { HapticEngine.shared.play(haptic: .refresh) } } Don’t try this at home, kids! Image loading bug There’s a bug where the CachedAsyncImage library is eagerly loading the non-existent FavIcons, yielding a blurry globe… But I think I will release with this. It works pretty much 90% of the time, and I’d rather ship than replace one of my pet third-party SwiftUI libraries. FavIcon not found for steam.com The Duplication Bug The Duplication Bug Some of the other bugs, I was a little more attentive to before shipping — this one in particular was pretty bad, since someone might scan a QR code twice and get a weird duplicate of the same account. // TODO: - Bug - Ignore scanned duplicates in the view model accounts - don't append scans to accounts if it's already there Far from ripping out and replacing a time-saving library, this bug had a single-line-of-code fix. // CodeViewModel.swift func create(account: Account, url: URL) throws { guard !accounts.contains(where: { $0.name == account.name }) else { return } // ... } Since the Keychain is keying 2FA accounts based on the name, this fix is pretty sensible. Codes Not Loading I found another issue with codes not being queued. // TODO: - Ultra-rare GETs not being sent?? Can't make them happen locally in simulator, but quints are fine - they appear to be queued It turns out, I misunderstood how @AppStorage actually behaves — the default only applied to the UI, as opposed to actually storing something in user defaults. // SettingsView.swift @AppStorage("sexts") private var sexts: Bool = true A function to populate UserDefaults on the first app load solved this. // CheckEmApp.swift @main struct CheckEmApp: App { init() { initializeDefaultsIfRequired() } // ... func initializeDefaultsIfRequired() { guard UserDefaults.standard.object(forKey: "sexts") == nil else { return } CodeGenerator.shared.initializeDefaults() } TipKit One little bit of improvement used the new iOS 17 TipKit to give a user a bit of an idea of what to do when they first load into the app. Tips displayed on first launch This was surprisingly simple to implement with the new API. // CodeView.swift @ViewBuilder private var tips: some View { TipView(QRTip()).tipImageSize(CGSize(width: tipImageSize, height: tipImageSize)) TipView(SettingsTip()).tipImageSize(CGSize(width: tipImageSize, height: tipImageSize)) TipView(CollectionTip()).tipImageSize(CGSize(width: tipImageSize, height: tipImageSize)) } The Store Listing I think we’re ready to ship. App store listing Setting up our store listing via AppScreens, the coup de grâce second screenshot shows the true power of Check ’em (featuring my cats). Check ‘em Seriously? Sorry France, I don’t have the energy to fill in a form at 11pm at night 🤷‍♂️ Look, I’m not the most libertarian person in the world, but I don’t want to jump through several extra hoops to increase my target market by 1%. Do better! (Sorry to all my French readers) In short order, we’re set up on App Store Connect and ready to press the button! Download Check ’em: The Based 2FA App today! Thanks for reading along with my journey! This was a pretty fun project: not only did I manage to tickle the part of my geek brain which loves spotting patterns; I got to handle some nifty processing, threading, and optimisation problems! My next step is focusing fully on performance for the v1.1 release, so it loads up crunches the OTPs even faster than normal! If you love this app, please give your suggestions on numbers you’d like to see! Finally, if anyone is keen to see an Android version, I’m more than happy to share my source code let you to run with it. Upgrade to paid To celebrate Pi Day weekend, I’m offering a 31.4159% discount for a year on my monthly and annual plans! Get 31.4159% off for a year High Performance Swift Apps I’m sharing the sequel, right here. Two weeks ago, I released Check ‘em: The Based 2FA App. The concept was pure: a two-factor authentication app which sends you a notification whenever a really great number shows up. Tap the notification to permanently add it to your collection. The kind people of Reddit enjoyed my write-up — from idea, to proof-of-concept, to release — enough to propel me to #3 on r/programming. Mankind is finally recognising my genius Check ‘em calculates millions of 2FA codes into the future, processes each number to determine if it’s interesting, and schedules the interesting codes as push notifications — GETs. v1.0 works pretty well, but today I’m going to focus on performance. My app performance evaluation process has three steps: Test on a real device to identify user-facing problems. Profile the app using Instruments to identify bottlenecks. Implement code improvements using 1) and 2) as our guide. This find-problems-first approach avoids bike-shedding, keeping the focus on the real bottlenecks. “Any improvements made anywhere besides the bottleneck are an illusion. Astonishing, but true! Any improvement made after the bottleneck is useless, because it will always remain starved, waiting for work from the bottleneck. And any improvements made before the bottleneck merely results in more inventory piling up at the bottleneck.” This approach helps me avoid wasting time on general code improvements that don’t move the needle for our users (so the singletons are here to stay — sorry not sorry). Testing On-Device Device Processing speed The big, glaring performance problem is exactly where you’d expect: processing your numbers while computing 2FA codes. This processing runs every time you enter the app, make a change to your 2FA accounts, or update your choice of GETs. TOTP calculation itself is a non-trivial function, involving byte manipulation, string creation, and cryptographic operations. These codes are then checked for several kinds of interestingness, before scheduling push notifications for the most interesting codes. This processing is pretty fast when a user has common GETs enabled, such as quads (e.g.004444), or palindromes (e.g. 123321). Check ’em runs until it has scheduled 64 notifications (the limit on iOS), so it doesn’t need to calculate far into the future when there are several codes found per day. If a user only wants to see rare GETs, such as quints (e.g. 055555) or near-counting sequences (e.g. 012340) the total processing time can exceed 10 seconds. Processing time for rare and ultra-rare GETs Rarity increases exponentially with each tier. With only ultra-rare GETs enabled, such as sexts (e.g. 666666) or counting sequences (e.g. 012345), my screamingly powerful A17 chip takes take over a minute. This increases even more if you only choose one or two ultra-rare options. As expected, this is by far the biggest performance bottleneck. Time-to-first code Since the app is pretty simple, just 1500 lines of Swift, the surface area of potential performance problems is pretty constrained. A less offensive issue rears its head each time you launch the app fresh — while the launch itself is lightning-fast, it takes a little while for the first 2FA codes to appear. It takes about a second for  — — — to turn into a useable 123456 Since a user would, ideally, be using this app for 2FA codes in their day-to-day, having useful codes snap into existence instantly would improve the user experience for the functional use case of this app. Profiling with Instruments Now we’ve identified the two key user-facing performance issues, we can perform a detailed analysis with Xcode Instruments. This profiling will allow us to detect the exact function calls which bottleneck our code. Setting up Instruments If you’re new to performance profiling, Instruments is a separate app which can be opened from the Xcode Developer Tools menu. Instruments in the Xcode menu bar Our bread-and-butter Instrument is the Time Profiler, which monitors CPU cores. It samples these cores 1000 times per second, recording the stack traces of the executing functions. The resulting report shows which parts of your code are hogging compute resources. The Time Profiler is our bread-and-butter Instrument Now we’re all set up, we can start our investigation. Processing speed Opening up our app, and monitoring the notification re-computation, we see some kind of async process taking up nearly 20 seconds as Check ‘em searches for interesting codes. A messy set of call stacks in the initial report To make this easier to comprehend, there are 3 settings we can toggle from the Call Tree menu: Separate by Thread splits the recorded processes up by thread rather than grouping all the same function calls together. This means if you have processes running in parallel, you see their time profiles separately. Invert Call Tree reverses the measured backtrace. This means instead of displaying the low-level iOS system calls which run on the CPU, we can see our own functions at the top of the call stack. Hide System Libraries cleans the report up by removing system library processes, making your own code easy to spot. Now, we can easily see all the processing work which is happening on a background thread as we expect. Cleaned up Time Profiler report showing slow processing on a background thread Our TOTP generation uses a non-trivial, but very well-specified algorithm. If I’d invented a way to speed this up, I’d be writing this article on from somewhere hot, on a yacht. What I’m trying to say is, we’re not likely to find a shiny new algorithm to speed up this TOTP generation process. Therefore, we firstly want to improve anything slower than the OTP.init() method. The smoking gun: the regex looking for sextuples We’ve found the smoking gun. The slowest calculation by far is checkThoseSexts(), which wraps a regex that appears to be ridiculously computationally expensive. extension String { func checkThoseSexts() -> Bool { (try? /(\d)\1\1\1\1\1/.firstMatch(in: self)) != nil } } When I also check for quints and quads, which use similar regexes, they also substantially outweigh the TOTP calculations. Since quads are so common, the full processing was terminated in just over a second. We’ve got a pretty clear indication that swapping out the regexes for alternative approaches could approximately double performance. This analysis helped me realise something further: this heavy processing is running serially on a single background thread, with pretty much all the heavy work offloaded to _dispatch_workloop_worker_thread, created by the Swift Runtime from my high-priority detached Task. This means just a single CPU core is responsible for generating TOTPs and checking their interestingness. If we’re clever about it, this process is dying to be parallelised. Time to first code The other user-facing problem is the relatively slow time between opening the app and seeing a useful 2FA code displayed. Since we know exactly what start and end points in our code to look for — app launch up to the first displayed code — we can profile this problem with a blunter tool: print() statements and timestamps. 07:35:54.2640 - App init 07:35:56.0280 - Code displayed The app currently takes a massive 1.764s between initialising the app to seeing a useful 2FA code. Following the code paths from launch to code generation, we get a clearer picture: 07:50:10.5640 App init 07:50:11.1980 On appear 07:50:11.2290 Set accounts 07:50:12.1630 Refresh accounts 07:50:12.1640 Code displayed This shows two relatively long waits: The time between app initialisation and onAppear firing on the main view. The time between setting Accounts in the view model and refreshing them to get TOTP codes. The keychain operation to fetch accounts, and the subsequent code generation step, are actually pretty quick, so don’t substantially impact the total time. Now that we’ve identified the key performance bottlenecks, we finally can start to make some targeted code improvements. Code Improvements Our basic run-through of Check ‘em found two performance issues: Processing millions of TOTPs and checking for interestingness. Slow loading of the initial 2FA codes. Based on our detailed analysis, we identified 3 specific improvements we can make: Replace the regexes used to assess interestingness with more efficient algorithms. Introduce parallelism to the TOTP and interestingness calculations. Make the initial code generation run sooner after launch. Let’s see how much speed we can squeeze out of this app! Efficient algorithms The slow regexes are the first big bottleneck we spotted using Instruments, taking up more than 50% of total processing time. Let’s benchmark our results using only ultra-rare GETs in the computation. Because these are so rare, the CPU needs to crunch 100x as many TOTPs to find these compared to common GETs, so finding 64 interesting GETs takes far longer. The regex looking for sextuples takes up the majority of the time spent processing (by far) We have our time to beat! That’s 47s spent processing on this background thread. Here’s my first alternative to the regex, using a simple string matching approach. func checkThoseSexts() -> Bool { checkRepeatedDigits(count: 6) } // Nicely factored so I can check for quads & quints private func checkRepeatedDigits(count: Int) -> Bool { (0...9).map { String(repeating: String($0), count: count) }.contains(where: { self.contains($0) }) } In one single function change, the sextuple check itself is more than 10x faster, slashing the total computation time down to 21s— more than twice as fast! Such is the power of focusing on bottlenecks. One simple function change cut the total processing time by more than half I’ve written some neat code, but it’s actually pretty inefficient — we’re performing a heap allocation of 10 strings (from 000000 to 999999), followed by an O(n) string matching operation every time we check a single TOTP for sextuples. Therefore this operation is still the second-heaviest in play (after TOTP creation itself). There’s an alternative, gruggier, approach, which might make life even easier — hardcoding a list of numbers. This avoids repeating the expensive string allocations. We can apply the same approach to the heavy operations that look for quads, quints, and counting. // Interestingness.swift func checkThoseSexts() -> Bool { Self.sexts.contains(self) } private static let sexts: Set<String> = [ "000000", "111111", "222222", "333333", "444444", "555555", "666666", "777777", "888888", "999999" ] func checkThatCounting() -> Bool { Self.counting.contains(self) } private static let counting: Set<String> = [ "012345", "123456", "234567", "345678", "456789", "567890" ] We’ve handily eliminated the biggest bottleneck: The checkThoseSexts method has gone from a cumulative time of 27.54s to just 899ms — a 30x increase in speed. A 30x decrease in the processing time for checkThoseSexts() Now, this gives me a bright idea. There are only 1 million possible 6-digit TOTPs. Perhaps, as an upper bound, 1 in 100 are interesting*. *The most common interestingnesses, such as palindromes (like Ten thousand numbers isn’t that big. It wouldn’t take very much processing power to hold them in an efficient data structure such as a dictionary, keep this in memory, and look up interestingness with a single O(1) operation. Additionally, this offloads the computation from users to my trusty M1 MacBook, and saves the environment. But, while this is a bright idea, this isn’t the bottleneck! Therefore, I’m going to regretfully leave it for now. TOTP calculation now takes up the vast majority of processing time. This is an appropriate time to invoke our CPU cores. Parallelism All our computation is currently performed on a single background thread. I’ve been wondering how I might improve this. The natural idea would be to ‘chunk up’ the TOTP calculation, and put each chunk on different threads. But how would we apply this chunking? We can’t necessarily do it by day, by week, or by month, since we might end up running lots of computation that we can’t use — we can only schedule a maximum of 64 notifications at once on iOS. Let’s find an approach which minimises complexity. Let’s use the CPU architecture as a guide: modern iPhone processors contain 6 cores, so let’s aim to use 6 simultaneous chunks. We can use taskGroup to set up these 6 parallel processes. // CodeViewModel.swift otpComputationTask = Task.detached(priority: .high) { await withTaskGroup(of: Void.self) { group in (0..<6).forEach { startingIncrement in group.addTask { CodeGenerator.shared.generateCodes( accounts: accounts, startingIncrement: startingIncrement ) } } } } We can then run these 6 parallel processes to calculate every 6th TOTP code into the future. Each process ends when it has found 1/6th of the total interesting numbers. // CodeGenerator.swift func generateCodes(accounts: [Account], startingIncrement: Int) { var increment = startingIncrement var interestingCodesCount = 0 while Double(interestingCodesCount) < (Double(Constants.localNotificationLimit - 2) / 6).rounded(.up) { // TOTP calculation ... increment += 6 } } This seemed to process faster, however it completely locked up our UI with hangs. The app was near-frozen and unresponsive while it processed our TOTP codes. Using a full 6 threads led to severe hangs when I tried scrolling my UI This is because I am forcing 6 high-priority processes to happen at once, so the main thread has to share rendering cycles with this expensive computation. This would be even worse on many older iPhones that don’t have a full 6 cores available — therefore, we should limit the number of processes to one per CPU core, and leave one core spare for the UI thread. ProcessInfo.processInfo.processorCount - 1 Now we’re talking! This gives us a much healthier 5 threads of heavy, chunked-up computation and one very calm UI thread, without any hangs to write home about. Using n-1 threads (n = number of CPU cores) made the app much happier This parallelism has taken our longest-running thread from a heavy 15.37s process down to, at worst, 6.74s — a 56% decrease. We are using 5 cores. Why isn’t this neatly 5 times faster? Maths and Actors There is still an issue with our approach: each of our n threads independently searches for interesting numbers, until it has found 64/n interesting numbers. The fastest thread might find 64/n codes all within the next 2 weeks, and the slowest thread could potentially be calculating forwards until next month if it’s unlucky — TOTPs are spaced 30 seconds apart and the interestingness of their codes is randomly distributed. This problem is twofold: Firstly, we’re missing potential numbers by overcounting on some threads and undercounting on others. Secondly, since our threads can take very different times to process, we are not utilising our CPU as efficiently as possible compared to if each thread took the exact same amount of time, spread across all CPU cores. Perhaps, instead of working from an offset, each thread simply runs independently and calculates the next un-calculated code. Therefore, we need a way to safely share state between these threads and ensure each new TOTPs calculated uses the next un-calculated 30-second date increment. Swift offers a neat solution to this problem with Actors, which enforce serial access to their state. // CodeIncrementor.swift actor CodeIncrementor { private var _increment: Int = 0 func increment() -> Int { defer { _increment += 1 } return _increment } } Compared to our first attempt at parallelism, which allowed each thread to run wild calculating every 5th TOTP independently, this approach requires coordination between our processes. This coordination adds overhead — each process is a little slower individually because they might need to wait to call increment() on the actor’s Serial Executor, as only one process can call this at once. Consequently, each time increment() is called, the thread is guaranteed to safely get the correct offset, so we only ever calculate the next un-calculated TOTP code to assess its interestingness. // CodeGenerator.swift func generateCodes(accounts: [Account], incrementor: CodeIncrementor) async { // ... while Double(await incrementor.codes) < (Double(Constants.localNotificationLimit - 2)) { let increment = await incrementor.increment() // Generate TOTP from date increment ... } } Let’s measure how this performs! Time Profile when using an actor to synchronise the TOTP generation This Actor-based approach leads to several more threads in-flight at once. Swift concurrency aims to have approximately one thread running per CPU core, in line with our original parallelism goal, and manages threading itself using a system-aware cooperative thread pool. The total cumulative execution time given in instruments is the sum across each thread. This is of course not representative of the time our users are waiting — to get a proper measure, let’s crack out our trusty timestamps again and measure the total speed for calculating interesingness for ultra-rare GETs. Original speed without parallelism 23:10:55.2940 Computation started 23:11:09.9220 Computation finished 14.628 seconds in total. Speed using chunking and (n-1) threads 23:07:00.4700 Computation started 23:07:09.5980 Computation finished 9.128 seconds in total. Speed using Actor coordination 23:01:38.7080 Computation started 23:01:46.5300 Computation finished 7.822 seconds in total. This shows us that the additional thread coordination overhead we take on with actors is worth it — the process is more correct, it more efficiently utilises our CPU cores, and is overall makes this computation step 47% faster! Earlier code generation Our final piece of performance profiling, using print statements and timestamps, found two big waits before useful 2FA codes appeared to our users: waiting for onAppear in our main view; and waiting to refresh() the codes themselves. // CodeView.swift @State private var viewModel = CodeViewModel() @State private var timer = Timer.publish(every: 1, tolerance: 0, on: .current, in: .common).autoconnect() var body: some View { // ... .onReceive(timer) { _ in viewModel.refresh() } .onAppear { refreshUI() } } We are first waiting for onAppear to set up Accounts in the view model, and then waiting again for the 1-second timer to fire. This is a pretty simple fix: decouple Accounts fetching and TOTP calculation from the view lifecycle events. // CodeViewModel.swift final class CodeViewModel { init() { timestamp("View model init") configureAccounts() refresh() } // ... This drastically cuts down the time between app launch and code generation — from 1.764s to 0.400s. 20:41:35.6890 App init 20:41:36.0830 View model init 20:41:36.0890 Code displayed Now, the codes snap into the screen almost immediately. Final video of the fully-upgraded performance. 2FA codes snap in immediately, and processing is lightning-fast Conclusion Check ‘em — The Based 2FA App was a madcap idea I turned into a side project, and had an enormous amount of fun with. What I didn’t expect was to encounter an extremely interesting performance optimisation puzzle as the centrepiece of my second (v1.1) release. Now, the app is firing on all cylinders: 2FA codes snap into existence as soon as you launch. The algorithms for finding interesting codes are much faster. Our powerful multi-core CPU is fully utilised with parallel computation. Download Check ’em: The Based 2FA App today! To celebrate Pi Day weekend, I’m offering a 31.4159% discount for a year on my monthly and annual plans! Get 31.4159% off for a year © 2026 Jacob Bartlett Substack Inc., 548 Market Street PMB 72296 San Francisco, CA 94104 Unsubscribe