App-to-App integration
Mobile app-to-app integration is the process of interconnecting one app to another app for optimizing and exchanging verified data via API. Triggers in one app drive actions in another; data from one is mapped and transferred to the other.
In the mobility space, Android App Links and iOS Universal Links allow an app to designate itself as the default handler of a given type of link. The benefit is clear: secure and specific point-to-point integration providing a seamless user experience.
Apple introduced Universal Links in iOS 9 as a solution to the lack of graceful fallback functionality in custom URI-scheme deep links. Universal Links are standard web links (http://mydomain.com) that point to both a web page and a piece of content inside an app. When a Universal Link is opened, iOS checks to see if any installed app is registered for that domain. If so, the app is launched immediately without ever loading the web page. If not, the web URL (which can be a simple redirect to the App Store) is loaded in Safari.
The App Link is merely Android's way of turning existing website links into mobile app links as well. Essentially replicating the functionality of Universal Links, if a normal HTTP/HTTPS link is clicked and the corresponding Android app is installed, the app will open immediately. Otherwise, the web link is opened in the default browser on the device if the app is not installed.
This is of crucial importance for compliance with the SCA mandate for PSU consent imposed by PSD2 because it means your users can be seamlessly redirected to their selected bank's official mobile app or web site login page to provide authenticated consent for the requested transaction.
The general idea (pictured above, click to enlarge) doesn't include enforcing SCA and then securely redirecting the user back to the TPP app to initiate token redemption. The security aspects required for PSD2 compliance require a few more steps, as you'll see in the more detailed discussion of Token.io's app-to-app redirect feature.
App-to-App redirection: an overview
As defined by OBIE/PSD2 , an app-to-app redirect allows the TPP to redirect a PSU from the TPP application (in a mobile web browser or mobile app) to the bank's (ASPSP) mobile app, when the latter is installed on the PSU's device. The TPP transmits details of the request (account information or payment) along with the PSU's preferences (e.g., product type, one-step authentication) through the respective Universal Link (iOS) or App Link (Android) and redirects the PSU to the bank app's login screen or function. The PSU then provides consent and is authenticated by the banking app using the same credentials/methods normally used when the PSU directly accesses the account using the bank app (typically, biometric).
Prior to the introduction of Token.io's App-to-App Redirect feature, the redirect flow for PSU consent involved redirecting the user to the bank's website opened in the default mobile browser on the device. Upon bank validation of PSU consent, the user was then redirected back to the TPP mobile app to continue request processing. However, this method is neither seamless nor friction-free and is likely to result in a poor user experience.
Hence, rather than an exclusive app-to-web redirect, the preferred app-to-app redirect experience, when the bank app is present on the device, lets the PSU access the bank's mobile app from within the TPP's mobile app to provide consent. The user is then seamlessly returned to the TPP mobile app to continue.
Universal/App links vs deep links
Deep links are a precise way to connect a user to a specific location in another app. On a web site, whether you use Safari or another browser like Chrome, most of the links you click are deep links. For example, a link to a hot news story on CNN takes you directly to a page with the story, not to the home page of CNN.
In mobile, deep linking has historically been more difficult. One reason is because apps don’t use a standardized link format like HTTP or HTTPS. That's because mobile apps need a uniform resource identifier (URI) to enable deep linking. With the web, there is one standard format for links, whereas with mobile the format varies by operating system (e.g., Android, iOS, Windows, etc.).
By contrast, Universal/App Links tell the web browser what to do if the app to which you want to link is not installed. With Universal Links, a hyperlink redirects the mobile device user to either content on a mobile website or to similar content in a mobile app, depending on whether or not the app is installed. The link itself points the web browser to a link map/URL scheme/app link scheme on a secure website that defines where users are redirected based on their install state.
As depicted in the flow chart below (click to enlarge), when a Universal/App Link attempts to open for the user, the mobile OS determines if the content should be shown in the mobile app or mobile website.
App-to-App checkout
At a high level, the following diagram shows the general workflow for Token.io's App-to-App Redirect feature using Universal/App Links.
The flow can be enumerated as follows:
-
TPP stores the TPP callback URL in the
TokenRequest. If the TPP doesn't support the Universal/App Link, it must provide a link to the TPP website. ArequestIdis returned for Token.io Web App access. -
The TPP redirects the
requestIdto the Token.io Web App, which then "guides" the user to the ASPSP for PSU authentication.
The flow pictured next (click to enlarge) illustrates the initial redirect user experience.
Here, Token.io provides Screen 1 to satisfy the Universal Link policy enforced by iOS on Apple devices. This particular screen is not required for devices running Android.
- As soon as user authentication is verified by the bank/ASPSP, the user is redirected back to the Token.io Web App and guided with a prompt back to the TPP. This experience is illustrated in the following example (Wood Bank is a notional ASPSP).
Here, again, Token.io provides the optional Screen 2 to satisfy iOS policy requirements. Screen 2 is not required for Android.
Implement the App-to-App redirect feature
Universal/app links in the Token.io Web App redirect the user directly to the bank/ASPSP app (or website fallback) for authentication and authorization, then back to your app, returning the authorized response payload appropriate to the token request. Because universal links are standard HTTP or HTTPS links, one URL works for both the bank's website and the bank app. If the bank app is not installed on the user's device, the system opens the URL in the device's default browser, where the redirect is handled by the website. For users that have the bank app installed on their device, the system checks a file stored on the bank's webserver to verify that it allows the Token.io Web App to open URLs on its behalf. For TPPs, the advantage here is having the Token.io Web App do all the heavy lifting.
However, there are still a couple of important rules you'll need to follow:
- Always open the Token.io Web App in a browser. Do not use an embedded in-app webview like WKWebview for the following reasons:
Token.io security policy requires the Token.io webview to open in the same browser each time.
On redirect back to the TPP, the bank/ASPSP will always open the Token.io Web App in the device's default browser (i.e., on iOS devices, the browser will always be Safari).
This means that, if you launch the Token.io Web App in an embedded webview, then, on redirect back from the bank, the Web App will detect a different browser that the one it expects and fail the checkout whilst trapping the error and displaying the following screen (click to enlarge).
Then, as the Web App UI indicates, the user will need to copy the URL and paste it into the browser from which checkout originated. But, if that's an embedded webview, the user will have no way to complete checkout without an address box for input.
You should therefore avoid using an embedded webview to open the Token.io Web App.
- For iOS only, append the following parameters when opening the Token.io Web App link:
- "use-bank-redirection-screen" = "true" – controls whether the optional Screen 1 (bank-redirection screen) is displayed.
"source=app"– indicates that the checkout flow initiates from the TPP's mobile app and supports Universal Links. Setting this parameter displays the optional Screen 1 in compliance with iOS Universal Link policy. If not included, the Token.io Web App will redirect the user back to the TPP's web site, rather than the TPP mobile app.
On redirect back to the TPP, Token.io provides a requestId in its response. You can then use the requestId to check on whether the final result of a token request is available by calling GET /token-requests/{tokenRequestId}/result.
Token.io-connected bank support status for Universal/App links
The following table lists the Token.io-connected ASPSPs and their respective support for iOS Universal Links and/or Android App Links.
| ASPSP | iOS | Android |
|---|---|---|
| Allied Irish Bank – Personal | ý | ý |
| Allied Irish Bank – Business | ý | ý |
| Bank of Ireland (UK) | þ | þ |
| Bank of Scotland | þ | þ |
| Lloyds Bank | þ | þ |
| Halifax | þ | þ |
| Barclays Bank | þ | þ |
| Daske Bank – Personal | þ | þ |
| Danske Bank – Business | þ | þ |
| First Trust Bank – Personal | þ | þ |
| First Trust Bank – Business | ý | ý |
| National Westminster Bank | þ | þ |
| Royal Bank of Scotland | þ | þ |
| Nationwide Building Society | þ | þ |
| Ulster Bank Ltd | þ | þ |
| Coutts & Company | þ | þ |
| Santander Bank (UK) | þ | þ |
| HSBC Bank – Personal | þ | þ |
| HSBC Bank – Business | þ | þ |
| First Direct Bank | þ | þ |
| Marks and Spencer Financial Services | ý | ý |
| TSB Bank | ý | ý |
| Monzo Bank | þ | þ |
Additional references
Visit the following links to developer literature for related information: