Moderator: Taras Demyanets
Use-case: Online banking application shall be usable on mobile phones
(iPhone, Android, etc). The app communicates with a REST web service
interface on bank's server.
Simplest solution: Integrate web-kit or another browser framework into
the mobile app and let user authenticate there.
But: Risk of phishing, which is a serious problem for banks. Users must
be trained to enter their credentials only on a known page. Browser (on
desktop or mobile device) is considered trusted application and users
are familiar with it. However, on mobile phone's browsers it is for
example hard to check a certificate's attributes to verify its validity.
Alternative is to start the standard web browers on mobile device or ask
user to use web browser on PC. In case of mobile browser, registration a
custom URL-scheme would allow to switch back to the app. URL-schemes can
be registered with according to First come, first served principle.
But: Experience shows that switching from app to browser and back to app
is not well accepted.
OAuth2 could be a solution if the OAuth token can be received in a
secure way: Fire up a a browser once (on mobile or browser), do
authentication to get a long-time OAuth token and start app again (using
a custom URL scheme) with the token as an argument.
Improved approach used by University of Malaga uses QR codes to show the
OAuth token to import it again in mobile device -> Is more user friendly
than typing a long string.
OAuth refresh token probably could be generated using the SIM card that
generates a crypto token which could be shared with the server. But that
would not work with iOS because Apple forbids that. And this also would
not work with an Wifi-only iPad/tablet that does not have a SIM card.
In the case of a bank, no longterm tokens can be used. Their validity
can be max. 30 minutes. But the QR code could be used for initial device
Banks also face the problem that their customers could download the
wrong online banking application. This is less of an issue for the more
strictly controlled Apple App store. If Apple tests app, they require a
test account, which sometimes can cause a problem if only real accounts
shall be used with app.
Note taker: Lukas H.