Slightly longer answer: DigID is the Dutch government’s federated single sign-on system, giving citizens a single username/password they can use to file taxes, receive messages, apply for student loans, and a number of other features. Most uses of DigID are sensitive, and so demand a second authentication factor instead of just a password. This second factor is currently (and commonly) SMS, but Logius is currently rolling out a mobile (Android) app to serve as a replacement.
The app works quite well. The sign-on screen draws a QR code, which the app then scans. The user confirms that they wanted to sign in, and the sign-on screen automatically refreshes. All in all, a normal interaction takes about thirty seconds at most. So far so wonderful.
It’s the downloading of the app beforehand that I’m grumbling about.
The current version of the DigID app is about 83MB compressed, or 376MB uncompressed, and it’s mostly precompiled Mono libraries:
■ Mono system libraries (186MB) This is most of the .NET framework, plus specific run-time libraries for C# and things like the garbage collector.
■ Xamarin support libraries (96MB) These provide the glue between the .NET world and the native Android system, as well as backports of newer Android features to older phones.
■ Crypto library (29MB) in this case is the .NET version of Bouncy Castle.
■ JSON parser (15MB) is the Newtonsoft library which seems to be a de-facto default.
■ QR code library (12MB) is the .NET port of the ZXing QR code recognizer.
■ DigID application code (7MB) Yes, there’s some of it in here.
There’s also an HTTP client, a Piwik connector, as well as some resources and images, but those barely tip the scale.
All of the Mono libraries are shipped three times, for three different ARM application binary interfaces. Android apps are of course delivered as APK files, which are renamed ZIP files. Because the ARM binaries of the libraries are very similar, they compress well.
Xamarin is an impressive piece of technology. It’s a beautiful example of a square peg that’s been lovingly polished and sanded to fit in a round hole. Using the app feels almost native.
But for an app like this one, where there are few interactions, most of them straightforward, the choice to me seems like overkill.
Maybe Logius are planning a Windows Phone version? The app only targets Android and iOS for now, and there is no talk of a Windows version, much less an official announcement.
Perhaps the server side is in C#, prompting the team to write the client in C# as well, for symmetry’s sake? Perhaps, but the statistics the app collects (because of course it has telemetry, and of course it is on by default) go to a Piwik server, which must be PHP/MySQL.
Could the app depend on a specific library that’s only available for .NET? Possible, but unlikely. Both the crypto implementation (Bouncy Castle) and the QR code scanning library (ZXing) in use are also available in native Java versions. The HTTP client (OkHttp3) is a Java library.
The most reasonable explanation seems to be that DigID/Logius didn’t want to take the time to write both a native Android app and a native iOS app. We ended up with an app that seems to work, but is ten times as large as it could be.
Thanks for reading! If you have any questions, comments or corrections, feel free to shoot me an email.