# MobileID InApp


Table of contents

# About MobileID InApp

Signicat MobileID InApp offers a simple way to implement and use two-factor authentication on mobile devices. The solution provides an API which allows merchants to register users and implement strong customer authentication in their existing mobile apps.

The solution also offers functionality for

MobileID InApp supports fingerprint, facial recognition or PIN code for authentication and provides Strong Customer Authentication (SCA) satisfying PSD2 requirements.

# Key features

Supports both PIN and fingerprint (Touch ID, Android fingerprint, Samsung fingerprint)

Relies on Encap for app security (supports both Android and iOS). Encap is a well-established and trusted provider of mobile security solutions.

Realtime Application Self Protection (RASP) optional

Push notification service for Android and iOS optional

Part of SignicatID (SCID). Combine MobileID with other factors as you like.

Signing of documents with MobileID is available through Signicat's signing functionality.

# Demo

If you want to see how MobileID InApp works, you can use Signicat's demo service.

# MobileID InApp Architecture

Key concepts

Signicat: MobileID InApp Solution Provider

Merchant: A customer of Signicat that will integrate and use the MobileID InApp solution

# Component descriptions

The main components involved in the Signicat MobileID InApp solution are as follows. You can find a diagram that represents these components below.

Expand/ collapse component descriptions

Merchant web app

This is the browser-based user interface that a merchant will optionally develop and offer to its end-users.

Merchant mobile app

This is the mobile app that a merchant will develop and offer to its end-users.

Merchant backend

This is the backend component that a merchant will develop. The merchant backend is the initial point of contact for the merchant web app and the merchant mobile app. This component will usually communicate with services provided by Signicat via the OIDC/OAuth protocol.

Signicat backend

This is the cloud service provided by Signicat. The Signicat backend is the primary point of contact for the merchant backend and the merchant mobile and web apps. Signicat currently offers a plugin architecture-based variant, with a microservice-based variant under development.

# Plugin-based backend

This component uses Signicat's proprietary plugin-based architecture which provides various HTTP endpoints that are recommended to be accessed according to the OpenID Connect (OIDC) protocol. SOAP interfaces are provided for some features. Additionally, it provides endpoints to consume other services and products offered by Signicat, such as signing and authentication with other eID methods.

# Microservice-based backend

This component is under development and will use Signicat's microservice-based architecture which provides similar features to Signicat's plugin-based architecture. Endpoints offered by microservices are recommended to be accessed according to the OIDC or OAuth 2.0 protocols.

Encap server

This is the core security server offered and maintained by Signicat in collaboration with AllClearID (opens new window). The Encap server takes care of secure communication with the merchant's app (via the Encap client SDK) and also offers push notification services that make use of the Apple Push Notification service (APNs) and Firebase Cloud Messaging (FCM).

Encap client SDK

This the mobile client SDK, which the merchant will need to import and use in its mobile apps.

Signicat database server

This is an internal Signicat component. The Signicat database server is not exposed to the public or to the merchant.

# Component diagram

click-to-zoom

# Integration guides

The MobileID registration, authentication, payment authorization and Consent signature operations can take place entirely within the merchant's mobile app (mobile integration).

The registration, authentication and payment authorization operations can also start on the merchant's website (web integration).

# Mobile integration

# Web integration

# Realtime Application Self Protection (RASP)

MobileID InApp customers may optionally secure their mobile app using Realtime Application Self Protection (RASP). The RASP option is recommended and is offered through the third-party solution Promon Shield, which is offered through the company Promon.

By applying this layer of protection, you can protect your app against reverse engineering and modification, monitor its runtime behavior, detect whether the app executes in an insecure environment (i.e. on rooted/jailbroken devices) and modify its behavior in real time to interrupt potential attacks. The option is available for Android and iOS.

Promon Shield is integrated as a fully automatic post-compilation step or as an integrated part of building the app with the Android or iOS build systems. Signicat will build a specific software package for customers who decide to implement the RASP option. Contact Signicat at support@signicat.com for additional information.

# Push notification service for Android and iOS

As part of the MobileID product, Signicat optionally offers a push notification service. The service is typically used to bring the user's attention to the mobile device when authentication is initiated on another device (e.g. in a browser on a desktop or laptop) or in other use cases where there is a need to bring the app to the foreground.

Signicat's push notification service uses Google's FCM service for Android devices and Apple's APNS for iOS devices. Customers may also choose to use their own push notification service with MobileID.

If you’re considering using MobileID in more than one of your apps, a good practise is to configure each app with a unique applicationID to take possible future scenarios into consideration. Signicat will set this up on your behalf. Contact Signicat at support@signicat.com for additional information.

# Electronic signing

For electronic signing through Signicat's Sign product, MobileID InApp can be used in two ways; Authentication-based signing (opens new window) and native signing (opens new window).

# Use case

With Signicat Signature you can use MobileID InApp to sign (as well as view or upload) one or more documents, such as loan applications or contracts (authentication-based signing), or sign general consent texts (such as GDPR consent forms (native signing).

# Authentication-based signing

The first alternative, authentication-based signing, offers mobile device-based signing of documents. This functionality utilizes Signicat's Sign product, with MobileID acting as an authentication-based signing method just like other ID methods used in a sign flow.

For more information about getting started with electronic signing, the different signing methods (opens new window) and more, see this page for the signing documentation.

The input for MobileID authentication-based signature is typically a PDF file. The document is displayed in the browser and the signing process takes place on the mobile device, where a signing title text that connects to the document is shown. The process results in an LTV-SDO, an implementation of XAdES in Signicat's solution, ensuring a unified output format in accordance with EU specifications as well as a scalable, responsive signflow supporting all modern device standards.

It is possible to include metadata about the MobileID authentication-based signature transaction to be passed back to the merchant's application. To pass metadata, include the following in the subject in the signing request:

externalRef=<ACCOUNT_NAME>
deviceName=<DEVICE_NAME>
metaData=<TYPICALLY_BASE64_JSON">

You can find an example of an LTV-SDO as a signing result, with authentication-based signing and MobileID as the authentication method here:

Download Signed LTV-SDO example

# Native signing

The second alternative, native signing, offers signing of text elements such as consent messages. This functionality utilizes Signicat's Sign product, with MobileID acting as a native (third-party) signing method just like other ID methods used in a sign flow.

For more information about getting started with electronic signing, the different signing methods (opens new window) and more, see this page for the signing documentation.

The input for MobileID native signature is a text file with the text to be displayed in the MobileID-enabled app. The process results in a signed JSON Web Token (JWT).

It is possible to include metadata about the MobileID native signature transaction to be passed back to the merchant's application. To pass metadata, include the following in the subject in the signing request:

externalRef=<ACCOUNT_NAME>
deviceName=<DEVICE_NAME>
metaData=<TYPICALLY_BASE64_JSON">

# Sample projects and code

View the code for sample apps that demonstrate how to integrate with Signicat's MobileID InApp solution:

https://github.com/signicat/sample-mobileid-inapp-common-react-native (opens new window) App

This is a sample app (React Native) that demonstrates how to integrate with Signicat's MobileID InApp solution. This app requires a backend.

https://github.com/signicat/sample-mobileid-inapp-common-backend (opens new window) Backend

This is a simple sample backend to be used with a merchant's mobile app. Registration and authentication start either on the merchant's website or on the merchant's mobile app. The sample backend server uses the OIDC protocol for communication with Signicat.

# Test information

A sample merchant mobile Android app can be downloaded from Google Play (opens new window).

A sample merchant mobile iOS app is available via TestFlight. To test the iOS app via TestFlight, contact us at support@signicat.com and provide the following:

  1. The name of the app in question; in this case the MobileID InApp sample merchant iOS app.

  2. The email addresses of the testers you would like us to add to TestFlight. These email addresses need to be the same as those used by the Apple accounts on the phones you want to use for testing.

Signicat will then add the testers to TestFlight. You will receive an email from Apple that will prompt you to download the TestFlight app and accept an invitation from Signicat by redeeming a code.

  1. Download the TestFlight app from the App Store.

  2. Redeem the code which will have been sent to you via email by Apple.

  3. You can now start testing the MobileID InApp sample merchant iOS app.

# MobileID InApp upgrade guide

The Signicat MobileID InApp solution requires that our customers regularly update their client applications throughout the product's lifetime.

Signicat MobileID uses Encap Security (opens new window) technology, which is a proven, certified, banking-grade security solution for mobile applications.

For details on how to update the Encap client, refer to our MobileID InApp upgrade guide.

# Support

If you have any further questions, contact us at support@signicat.com.

Last updated: 3/1/2021, 12:00:45 AM