Mobile app-to-app integration is the process of interconnecting one app to another app for optimizing and exchanging verified data via API. Triggers in one app drive actions in another; data from one is mapped and transferred to the other.
In the mobility space, Android App Links and iOS Universal Links allow an app to designate itself as the default handler of a given type of link. The benefit is clear: secure and specific point-to-point integration providing a seamless user experience.
Apple introduced Universal Links in iOS 9 as a solution to the lack of graceful fallback functionality in custom URI-scheme deep links. Universal Links are standard web links (http://mydomain.com) that point to both a web page and a piece of content inside an app. When a Universal Link is opened, iOS checks to see if any installed app is registered for that domain. If so, the app is launched immediately without ever loading the web page. If not, the web URL (which can be a simple redirect to the App Store) is loaded in Safari.
The App Link is merely Android's way of turning existing website links into mobile app links as well. Essentially replicating the functionality of Universal Links, if a normal HTTP/HTTPS link is clicked and the corresponding Android app is installed, the app will open immediately. Otherwise, the web link is opened in the default browser on the device if the app is not installed.
This is of crucial importance for compliance with the SCA mandate for PSU consent imposed by PSD2 because it means your users can be seamlessly redirected to their selected bank's official mobile app or web site login page to provide authenticated consent for the requested transaction.
The general idea (pictured above, click to enlarge) doesn't include enforcing SCA and then securely redirecting the user back to the TPP app to initiate token redemption. The security aspects required for PSD2 compliance require a few more steps, as you'll see in the more detailed discussion of Token.io's app-to-app redirect feature.
As defined by OBIE/PSD2 , an app-to-app redirect allows the TPP to redirect a PSU from the TPP application (in a mobile web browser or mobile app) to the bank's (ASPSP) mobile app, when the latter is installed on the PSU's device. The TPP transmits details of the request (account information or payment) along with the PSU's preferences (e.g., product type, one-step authentication) through the respective Universal Link (iOS) or App Link (Android) and redirects the PSU to the bank app's login screen or function. The PSU then provides consent and is authenticated by the banking app using the same credentials/methods normally used when the PSU directly accesses the account using the bank app (typically, biometric).
Prior to the introduction of Token.io's App-to-App Redirect feature, the redirect flow for PSU consent involved redirecting the user to the bank's website opened in the default mobile browser on the device. Upon bank validation of PSU consent, the user was then redirected back to the TPP mobile app to continue request processing. However, this method is neither seamless nor friction-free and is likely to result in a poor user experience.
Hence, rather than an exclusive app-to-web redirect, the preferred app-to-app redirect experience, when the bank app is present on the device, lets the PSU access the bank's mobile app from within the TPP's mobile app to provide consent. The user is then seamlessly returned to the TPP mobile app to continue.
Deep links are a precise way to connect a user to a specific location in another app. On a web site, whether you use Safari or another browser like Chrome, most of the links you click are deep links. For example, a link to a hot news story on CNN takes you directly to a page with the story, not to the home page of CNN.
In mobile, deep linking has historically been more difficult. One reason is because apps don’t use a standardized link format like HTTP or HTTPS. That's because mobile apps need a uniform resource identifier (URI) to enable deep linking. With the web, there is one standard format for links, whereas with mobile the format varies by operating system (e.g., Android, iOS, Windows, etc.).
By contrast, Universal/App Links tell the web browser what to do if the app to which you want to link is not installed. With Universal Links, a hyperlink redirects the mobile device user to either content on a mobile website or to similar content in a mobile app, depending on whether or not the app is installed. The link itself points the web browser to a link map/URL scheme/app link scheme on a secure website that defines where users are redirected based on their install state.
As depicted in the flow chart below (click to enlarge), when a Universal/App Link attempts to open for the user, the mobile OS determines if the content should be shown in the mobile app or mobile website.
At a high level, the following diagram shows the general workflow for Token.io's App-to-App Redirect feature using Universal/App Links.
The flow is as follows:
TPP stores the TPP callback URL in the
TokenRequest. If the TPP doesn't support the Universal/App Link, it must provide a link to the TPP website. ArequestIdis returned for Token.io Hosted Pages access.The TPP redirects the
requestIdto the Token.io Hosted Pages, which then "guides" the user to the ASPSP for PSU authentication.
The flow pictured below illustrates the initial redirect user experience.
Here, Token.io provides Screen 1 to satisfy the Universal Link policy enforced by iOS on Apple devices. This particular screen is not required for devices running Android.
- As soon as user authentication is verified by the bank/ASPSP, the user is redirected back to the Token.io Hosted Pages and guided with a prompt back to the TPP. This experience is illustrated in the following example (Wood Bank is a notional ASPSP).
Here, again, Token.io provides the optional Screen 2 to satisfy iOS policy requirements. Screen 2 is not required for Android.
Universal/app links in the Token.io Hosted Pages redirect the user directly to the bank/ASPSP app (or website fallback) for authentication and authorization, then back to your app, returning the authorized response payload appropriate to the token request. Because universal links are standard HTTP or HTTPS links, one URL works for both the bank's website and the bank app. If the bank app is not installed on the user's device, the system opens the URL in the device's default browser, where the redirect is handled by the website. For users that have the bank app installed on their device, the system checks a file stored on the bank's webserver to verify that it allows the Token.io Hosted Pages to open URLs on its behalf. For TPPs, the advantage here is having the Token.io Hosted Pages do all the heavy lifting.
However, there are still a couple of important rules you'll need to follow:
Always open the Token.io Hosted Pages in a browser. Do not use an embedded in-app webview like WKWebview for the following reasons:
Token.io security policy requires the Token.io webview to open in the same browser each time.
On redirect back to the TPP, the bank/ASPSP will always open the Token.io Hosted Pages in the device's default browser (i.e., on iOS devices, the browser will always be Safari).
If you launch the Token.io Hosted Pages in an embedded webview, on the redirect back from the bank, the Hosted Pages will detect a different browser that the one it expects and fail the checkout, whilst trapping the error and displaying the following screen.
Then, as the Hosted Pages UI indicates, the user will need to copy the URL and paste it into the browser from which checkout originated. But, if that's an embedded webview, the user will have no way to complete checkout without an address box for input.
You should therefore avoid using an embedded webview to open the Token.io Hosted Pages.
For iOS only, append the following parameters when opening the Token.io Hosted Pages link:
"use-bank-redirection-screen"="true"– This controls whether the optional Screen 1 (bank-redirection screen) is displayed.The following screen is shown after the user has given consent for the initiation and before the user is redirected to the bank.
If too much time passes between the user’s click to accept/give consent and the redirect, there's a risk that the OS no longer deems it a trusted interaction and will open the url in the browser instead of the bank app. Clicking the redirect button on Screen 1 ensures that the OS honours the deep link, i.e., the bank app will always open instead of the url opening in the browser.
"source=app"– This option also ensures that the OS honours the deep link when using app-to-app, but at the end of the payment flow instead of between the accept consent and the redirect as in 2a. In this scenario, when the user returns from the bank to Token.io's HP, the following screen is shown.
Clicking this redirect button ensures the user is sent back to the app they started in if processes at Token.io take too long, or to avoid an issue with automatic redirects.
On redirect back to the TPP, Token.io provides a requestId in its response. You can then use the requestId to check on whether the final result of a token request is available by calling GET /token-requests/{tokenRequestId}/result.
The following table lists the Token.io-connected ASPSPs and their respective support for iOS Universal Links and/or Android App Links.
| ASPSP | iOS | Android |
|---|---|---|
| Allied Irish Bank – Personal | N | N |
| Allied Irish Bank – Business | N | N |
| Bank of Ireland (UK) | Y | Y |
| Bank of Scotland | Y | Y |
| Lloyds Bank | Y | Y |
| Halifax | Y | Y |
| Barclays Bank | Y | Y |
| Daske Bank – Personal | Y | Y |
| Danske Bank – Business | Y | Y |
| First Trust Bank – Personal | Y | Y |
| First Trust Bank – Business | N | N |
| National Westminster Bank | Y | Y |
| Royal Bank of Scotland | Y | Y |
| Nationwide Building Society | Y | Y |
| Ulster Bank Ltd | Y | Y |
| Coutts & Company | Y | Y |
| Santander Bank (UK) | Y | Y |
| HSBC Bank – Personal | Y | Y |
| HSBC Bank – Business | Y | Y |
| First Direct Bank | Y | Y |
| Marks and Spencer Financial Services | N | N |
| TSB Bank | N | N |
| Monzo Bank | Y | Y |
Visit the following links for related information:
Android (covers 65% of all Android users on 6.0 or later)
iOS (covers over 99% of all iOS users on iOS 9 or later)
If you have any feedback about the developer documentation, please contact devdocs@token.io