so we recently upgraded to the priority plan so the apps we would publish could be password protected. This is important to us because we are working on an app for a client whose access will be restricted in production. Therefore we don’t want it to be available to everybody who just happens to know the link. If I understand correctly what’s written here (Working Together - Expo Documentation) protecting apps in expo with user accounts should be possible (“Can only view your projects through the Expo client, but can’t modify your projects in any way.”).
I tested scanning the QR code on my iPhone without being locked in and that results in an error message containing “403”, perfect. When I log in, I am able to scan the same code and see the app from that particular release channel.
However, when I scan the same QR code with an Android phone, I can directly access the app. No login needed. How is that possible? Is this a major security breach or did I just understand the security measures provided by the priority plan wrong?