Expert review: Briar, a P2P messaging app
Activity: User testing and expert heuristic review on a peer-to-peer mobile messaging app.
Takeaway: In order to make effective use of an app, users need to know what the app is doing. Make system status visible.
Researchers who want to evaluate software interfaces have a number of tools at their disposal. One option for identifying obvious and significant problems is an expert review, which is often used to catch low-hanging fruit before performing any kind of user testing. Expert reviews employ usability heuristics, which systematically explore potential problems with a piece of software by applying patterns for good design.
With some guidance from UX-research veteran Susan Farrell, we recently performed expert reviews of a few open source tools for encrypting communications. Each expert review included evaluation by myself and at least one additional researcher; many thanks to Arne Renkema-Padmos, Robert Stribley, and Bernard Tyers for their work on this project. During the review we described issues and took screenshots to illustrate them. After prioritizing the issues by severity and picking our top 15, we compared our findings with one another and synthesized them into a single report.
One of the tools we reviewed was Briar, an open source peer-to-peer communications application for Android. Briar uses a range of communications methods — Bluetooth, Wi-Fi, or Tor — to provide users end-to-end encryption for messaging.
We picked Briar to review because the development team expressed readiness (and eagerness!) to get and incorporate feedback. Below is our full report.
What’s going well?
Generally, the reviewers found the interface simple and effective, and were confident they got the app working, successfully sending messages. While frustrated that Briar turned Bluetooth on by default, reviewers were pleased this was easily configurable in settings.
Issues
Here is a list of the issues we found in Briar, graded for the importance we felt it was to address them.
A) Visibility — High priority
- Connection status icon is unclear
Type of connection is not made visible
Consider “connected to user” instead of “connected to network” - Message delivery status is unclear
“Message sent” pops up even when user being sent to is not online
Users need to know if their message has not left their device yet
Consider “message ready to send” status - No notification of new messages on main screen
- Look at how Android/Hangouts/Gmail do this messaging
The UX team agreed that the most important issues we found related to visibility, primarily visibility of system status and visibility of message status. The team also felt we did not fully understand how Briar worked, which interacted with our need for more visible indicators. Lack of visibility impacted our ability to understand things like when messages had been delivered or whether the app was connected.
The researchers were confused and curious — does Briar cache messages anywhere but your own device? If not in the cloud, where? We were unclear whether this meant both devices had to be available in order to send or receive a message. That shaped how we thought about connection and message status indicators.
1. Connection status
- The distinction between “Briar is running” and “Briar can connect” is not made clear by the status icon in the notification and status bar.
- One researcher was frustrated that Briar’s icon was constantly taking up real estate in the status bar while it was on; he didn’t understand why that was necessary.
- Given that Briar connects peer to peer, we wondered whether “connected to user” might be a useful concept to communicate, rather than “connected to network.”
- However, users will find it helpful to know which kind of network connection is working at a given time.
- One researcher was confused that even when his wifi was spotty, his connection seemed to work.
- While the website states that wifi and bluetooth can be used to transmit messages locally, it was not clear to the team whether these kinds of connections could enable communication beyond a local network. If I’m in Brazil and I only have Bluetooth available, can I reach you with Briar if you’re in New York City? The team also wanted more clarity as to whether local wifi communication went peer-to-peer or over a router.
- Indicating which connection is being used to send a message might be helpful. Consider as a use case someone entering or leaving a subway system as they send a message: their access is changing.
2. Message status
- Even when a user is listed as offline, a “message sent” indicator pops up when you send them a message. The team found this confusing. Was the message still on the sender’s device? Was it floating around on the network? How was it sent if the person isn’t online?
- Consider a “message ready to send” indicator when a user has hit send but it cannot be delivered (either the recipient device is unavailable, or the sending device doesn’t have network access), and a “message delivered” indicator when the recipient device comes online and receives it.
- Look at how Android/Hangouts/Gmail do this kind of messaging; there may be some good conventions to borrow.
3. No notification of new messages on main screen
There is no notification of new messages on the main Briar screen, making it unclear to users when they have missed a message.
B) Bluetooth issues — high priority
Reviewers all had issues with Bluetooth, though they were of different types. All of them presented troubling obstacles.
The researcher on Cyanogenmod found that the app paired via Bluetooth without prompting. He found this problematic, because was not made clear to the user what the potential risks are of turning on Bluetooth. Besides security issues, turning on of Bluetooth by default can also lead to battery drainage. It is a good thing that this can be configured in the settings, but most users tend not to change the default settings. Defaulting to “off” in the Bluetooth connection might be safer.
By contrast, the other researchers had to go outside the app and pair within their devices’ native Bluetooth managers in order to get Briar to work. Better messaging within the app to let users know this is necessary would be helpful.
C) Confirmation code screen confusion — high priority
Users may not realize that the state of the machine has changed between the “invitation code” and the “confirmation code” screens, as some researchers did not during our test. Color, font size, and layout are nearly exactly the same on the two screens, making it difficult to notice a change if you are distracted or the process takes a while. Consider showing a step indicator or using color or text attributes to make it clear that the user has moved on to a second screen.
D) No login timeout — high priority
There is no timeout of logged-in status, which one researcher noted could lead to users forgetting their passwords. This is particularly problematic given that users must be face to face to pair; losing access to their account or app could mean permanently losing access to important contacts. Consider periodically logging users out, or finding a way to back up pairings in a privacy/security-preserving manner, so that when a password is forgotten, the pairing is not.
E) “Passwords don’t match” is still a green indicator — Bug — High priority
In setup, if a user enters two passwords which don’t match, the indicator is still green rather than yellow or red. This is likely to slow users down as they have to look harder to figure out why the setup will not complete. Change the indicator to red for “passwords don’t match.”
F) How-to page — medium priority
Currently the only way to install is using the APK, but the how-to page only says “Coming soon!” Remove the install content or add a how-to until the app is available in app stores.
G) Problems installing due to a screen brightness bug on Cyanogenmod — Bug — Low priority
In Cyanogenmod (and possibly in other Android flavors), a bug makes it impossible to install apps outside the app store when screen brightness control is on. We expect this will be fixed by offering the app through the App Store, so while this is a showstopper in some cases we did not feel it was high priority.
H) Give the option to start app by default — Low priority
Some UX team members wanted the app to start by default when the phone started, but the team was not in agreement about this. We thought it made sense to have this be a setting which could be the default on first launch. More user feedback on this option would make it clearer how to handle this.
I) Sign out does not have undo functionality — Low priority
For the sake of reducing accidental sign-outs, the team wanted to see a “Do you really want to sign out?” popup before logout was completed. However, we were not certain whether “panic-button”-scenario users might not want that additional step.
J) No information on why permissions are needed — Low priority
The team wanted to see more information on why the app asks for the permissions it does on install. The App Store doesn’t really give much opportunity to include additional information of this sort on install, but it might be nice to have available to users on the website or App Store page.
K) App store availability — Low priority
The app is not currently in the app store. This makes installation more difficult. The reviewers understand there may be reasons not to include the app in the app store, and that it still being in beta is one of these. However, this leads to the following security concern:
L) APK signatures are not available — Low priority
So long as the app is not in the app store, APK signatures are important for more-skilled users, who may want to ensure the package has not been tampered with. These should be made available.
Follow-up
We have passed this list of issues along to Michael Rogers, Briar’s developer. Michael had great insights and comments in response, and we are confident he can address these issues effectively.
