Security Demo for mobile app and API

For this demo we have created a Xamarin.Forms app to demonstrate using Moneyhub’s Open Banking API with OAuth Identity Management.

This allows a user to register and login to an Identity Server and then call an API protected by tokens using OAuth PKCE which represents the current best practice for mobile app security. The API keeps the Moneyhub API keys and secrets on the server so they cannot be compromised by reverse engineering the mobile app.

There are many different solutions around identity and in the video below we explore Identity Server which is a great option for security on any platform, including mobile.

Working with a solution such as this will allow our app to not only be secure but also provide an easy process through which we can combine the security of our app to the security needed to access Moneyhub’s APIs.

Below is a short video that discusses the app, the video transcript is also available below if you prefer to read than watch.
Moneyhub Security Architecture Demo

The code can be found in the GitHub repo

Video transcript

This is a video about one of the ways that you can architect the security of your mobile app in order to securely access Moneyhub’s data, APIs. Security is important for almost any mobile app. However, it becomes even more important when accessing a user’s financial information via something like Moneyhub’s open banking platform.

The two main things we need to consider are the security of your own app, now this could be done via a custom login system or using a third party solution such as IdentityServer. But either way, you’ll need some sort of solution that protects your users data and secures your app. Moneyhub has its own security model to protect its data APIs, and this comes in the form of its identity API. In order to get access to Moneyhub’s data APIs, you need to first authenticate with Moneyhub Identity API where you can generate tokens which can then be used to access the data.

What we’re going to look at today is one of the ways that you can integrate your own security solution in with Moneyhub’s identity API in order to safely and securely (and to the user seamlessly) access Moneyhub’s data APIs.

In order for us to make this work there’s one concept which we need to delve into a bit deeper, and that is how do we authenticate with the identity providers themselves. One of the most common methods for doing this is via a client I.D. and client secret.

This is basically two keys that will be provided as part of the request to the identity provider, which then allows the identity provider to verify that the calling client is a valid client. Now, as is detailed really well in this article, which I’ll link below, this presents a problem for mobile apps as there’s no real way to safely and securely secure a client ID and secret in the app, which presents a problem, as this is how Moneyhub’s identity API requires us to authenticate, which means that we are not able to directly communicate with Moneyhub’s identity API from the mobile app.

So how do we get around this? What are we going to do for this solution is we are going to use our own app’s security in order to create a secure connection to Moneyhub’s identity API via our own secure API. In order to avoid the same issue with our identity provider, as with Moneyhub’s identity provider, regarding the client IDs, we will authenticate with our own identity provider using a method called PKCE, which is proof key for code exchange.

I won’t go into too much detail about this method, but effectively it uses a code challenge rather than IDs in order to authenticate. The important part being that we do not need to store any keys on the mobile app in order to authenticate, meaning it’s much more suitable for things like mobile apps.

So what does that architecture look like in practice? This is a really simple diagram showing the security flow of how we can get data securely from Moneyhub. From the mobile app, we make a request to log in to our implementation of identity server. This would be done via PKCE, so there’s no client ID secrets being transported here. Once we’ve logged in we are returned a token, we then in turn use this token to access our own custom API.

That token is validated by our identity server, and once that validation happens we can then access Moneyhub’s identity API from the API. And we can do this because the client ID and secrets can be kept securely on our custom API, so they never go anywhere near the mobile app. Once we have generated a token from Moneyhub’ Identity API, that’s then passed directly back to the mobile app, so the only bit the mobile app actually get back is the actual token from Moneyhub.

We can then use that token to communicate directly with Moneyhub’s data APIs and get the data back directly. Using this process each call should be secure and no client ID secrets are ever stored on the app.

To show that in practice this is a demo app that we’ve created that will use IdentityServer using PKCE authentication. Once that’s successful, the token that we use will be used to talk to our own custom API, that will then in turn generate a token from Moneyhub, which we’lll then use with our .Net SDK client for Moneyhub to call that data API and hopefully get some data back.

So first of all we log in with IdentityServer, and then once we’ve logged in, as I just said, the token will be passed back to us. We’ll then authenticate our own API which will in turn then authenticate with Moneyhub’s identity API, which will then give us a Moneyhub token, which we then can use directly with their data APIs. And as you can see there getting data back.

So that’s one way that you can secure your mobile app and securely access Moneyhub’s data APIs. The solution I just showed you uses our own implementation of IdentityServer, custom API, and a cross-platform iOS and Android mobile app.

All of these are available on our GitHub and I’ll put links below so you can try this all out for yourself. Hopefully you found this useful and gives you an option for how you can get your own mobile app up and running securely.

If you haven’t already you can read about the background to this project and the initial SDK client library to showcase Moneyhub’s APIs here.

And where we explore IdentityServer to access Moneyhub’s API here.

If you are developing a mobile app using Open Banking and would like to discuss how we could support you on the project please get in touch.

Richard Woollcott

Author Richard Woollcott

More posts by Richard Woollcott