Vibe Coding, Gems, and Hidden Security Lessons from a Running App
A colleague recently asked me to do a security review of her new iOS budgeting app, Eira. No code access, just the running app on my phone. This was a completely new type of project for me, so I approached it as a behavioural and UX security review: observing how the app guides users, what data it collects, and the subtle nudges it gives that could affect security and privacy.
Doing this kind of review was different from my usual work. Instead of looking at code, I focused on human behaviour, UX design, and the small ways security is shaped by the choices we make as users and creators.
Sign-Up and Authentication
The app starts with a clean sign-up/login screen. Password rules are solid with at least 8 characters, including uppercase, lowercase, and a number. If your password does not meet the requirements, the app prompts you with a message explaining what is missing, such as "must be at least 8 characters" or "must include a number". It is a small but important friction point that stood out in my behavioural and UX security review.
Since I first explored the app, updates have been flowing and I was on then on an outdated version. The previous quirks, like looping back after entering payday information, are now fixed. There is also now an option to sign in with Google, which adds an extra layer of trust because users often feel more comfortable using familiar accounts.
However, there are a couple of subtleties. When using Google sign-in, the prompt shows a URL requesting access. While the functionality works, seeing a long, unfamiliar domain can reduce trust compared to seeing the app’s name. Additionally, signing into a different account with Google redirected me to a website version of the app rather than back to the iOS app itself. While not a security issue per se, this kind of behaviour can confuse users and affect their confidence in the app’s professionalism and safety.
This is a small but important reminder in a behavioural and UX security review: how authentication flows work, how users are redirected, and how URLs are presented all shape perceived trust and usability.
Onboarding and Gamification
Once logged in, onboarding walks you through income, currency, goals, and recurring expenses. The app gamifies the experience. Completing onboarding earns gems, which unlock AI-powered insights later. You can also track streaks, levels, and weekly milestones.
Gamification is clever for engagement but also nudges users toward sharing more information than they might otherwise. Even scanning receipts to earn points has subtle privacy and behavioural implications.
This is where vibe coding really shines and where it can introduce quirks. Vibe coding allows rapid iteration and experimentation. It can speed up “bad coding”, creating glitches or less-than-perfect flows, but it can also push projects past bad into something genuinely innovative. As more people use these tools and the algorithms behind them improve, the results can get smarter and more creative.
App Navigation and Features
Eira is neatly structured with four main tabs: Budget, Transactions, Analytics, Profile.
Budget: monthly overview, recurring expenses, categories, and earned gems
Transactions: add income or expenses manually or via receipt scanning, then categorise them
Analytics: AI-powered insights unlockable with gems
Profile: change avatar, display name, currency, read privacy policy, delete account, or sign out
Some minor UI quirks exist. Buttons that look clickable but are not, loading indicators, or visual glitches appear, but they do not break the experience. These are part of the charm of vibe coding, functional human-driven iteration that prioritises speed and experimentation.
Even small details, like missing account confirmation emails, subtle UI glitches, or invisible nudges in gamification, can affect how users interact with an app and how secure their experience feels.
Hidden Lessons
Even without seeing the code, the app illustrates key lessons about security, behaviour, and UX:
Security is baked into design, not just code: password rules, login flows, and data collection choices influence safety. A behavioural and UX security review helps spot where small choices nudge users toward safer or riskier behaviour
Gamification shapes behaviour: incentives like gems, streaks, and AI insights encourage engagement but can subtly push users to overshare information or interact more than they might otherwise
Vibe coding trade-offs are human: rapid iteration and creative energy can leave minor “oh no” moments, but that is normal for first-time projects and part of what makes building apps exciting
Doing something new teaches a lot: reviewing an app at a colleague’s request was completely new for me. It reminded me that security is not just technical, it is about human choices, UX, and behaviour patterns too
Vibe coding reflection: vibe coding can speed up bad coding, but in doing so it also has the potential to move past bad into something genuinely good. As more people use these tools, the algorithms improve and the results get smarter and more creative
Perceived trust matters: even small details, like missing account confirmation emails, subtle UI glitches, or invisible nudges in gamification, affect how users interact with an app and how secure their experience feels. Updates like adding “Sign in with Google” can improve trust, but seeing a long, unfamiliar URL for the authentication service can immediately make users hesitate. If something looks polished, flows nicely, and feels professional, users feel comfortable handing over their data. If the interface is glitchy, inconsistent, or shows confusing URLs, users might instinctively think “I don’t feel safe here”, even if the app is technically secure
Final Thoughts
Because my colleague asked for a review, I could take the perspective of both a user and a security observer. Eira is not perfect and it does not need to be, but even a vibe coded side project can teach lessons about friction, incentives, and the human side of security.
Sometimes the most important insights are hiding in plain sight, and a little curiosity goes a long way in spotting them.