One of the wonderful things about conceptualizing products and developing new solutions is the creative freedom to design and execute your vision in a way you deem best.
We celebrate creative freedom at Twizo and we love giving our partners flexibility in terms of how they use our services. With that in mind though there are still some best practices that every developer should bear in mind in general and specifically when talking about Two Factor Authentication security services.
When you decide to integrate the Twizo API into your mobile app you will need to communicate with our API-key. The easiest way to do that is to embed the API-key directly into the mobile app. Easy isn’t necessarily always best though.
We do not recommend this!
By integrating the API-key directly into your mobile app you are going to be running into a few different issues.
- Even if you secure the API-key, it is still part of the core code and hackers who know what they are doing will know where to find it if they breach your code.
- Any update to the API-key whether its due to a general update or due to a breach will lead all of your users having to install a new version of the app. What if someone doesn’t want to update or forgets to do so? Now you need to support two versions of apps due to two versions of API-keys!
So, whats a better way to go about this?
The best is to create a mobile backend which runs on your own service and to then have the mobile app communicate directly with that backend.
Now instead of having to make changes to the app itself and inconvenience your users with re-installs or version update, all you have to do is update the backend directly. Simple, secure and hassle free for both you and your users.
Just like the rest of our services we advocate for an #ImpossiblySimple approach to things but simply should not mean less secure. By following our recommendations above you can ensure that you keep your customers safe while enjoying all of the benefits that the Twizo API has to offer.