During the initialization phase, you do a key-exchange with the bunq API:
- you create a private key of your own and send the public key to the API
- you get a public key back from the backend
Whenever you make a call to the bunq API, you sign the request (HTTP type + "bunq-x"-headers + request body) with your local private key and send the resulting signature along the request in a "X-Bunq-Client-Signature" header. Since you only have the private key, the bunq backend can thus check that request is coming from you, since nobody else could have signed the request or tampered with it.
The bunq API basically does the same, it signs it responses and puts the result in the
X-Bunq-Server-Signature. You now need to verify that bunq really signed this request and you can do so using the public key you got in the initialization phase:
- build the request that is signed in memory (HTTP type + x-bunq-headers + request) and use the public key to check if that matches the server signature.
On iOS and macOS, CommonCrypto is the way to do public/private key crypto:
SecKeyRawVerify or more modern functions such as
SecKeyCreateSignature are the things to search for.
The encryption part is a bit more tricky, but not needed as much. It's easiest to first get the signing up and running and then tackle the encryption part if needed.
If you have any specific questions, feel free to post them here and tag me. I'll do my best to answer them.