Unlike much of the work I’ve publish here which is proof of concept or “building blocks” for applications, this is the complete source for a real application that you can download on AppStore for free. If you want to check out the application you can get it through iTunes/AppStore. The source can be downloaded at the end of this post, as usual.

Mitt Saldo, or “My Balance” if translated, is an iPhone application for the swedish banks Swedbank, Nordea, ICA Banken and Handelsbanken. All of these banks has already released their own official iPhone apps or web based apps some time ago and I’ve personally used Swedbanks application a lot. These “applications” however are nothing more than browser wrappers and provide no or little additional functionality compared to their iPhone adapted web based internet banks. In fact, most of them have just thrown in a UIWebControl and pointed the start url to their internet banks. This has obviously been a successful stunt and rightfully so, it’s not obvious to everyone that you can create a shortcut to their sites directly through iPhones Safari browser.

The main reason for creating Mitt Saldo is that I personally found the process of checking the balance on my credit card account way time consuming. I’m one of those that still worry about getting my credit card information stolen through various internet sites or skimmers so I keep a minimal amount of money on that account. Instead I transfer money to the account whenever needed, this could be 2-3 times per week depending obviously on what I’m purchasing. The big hustle with checking the balance is that you have to enter your credentials every time. Thankfully Nordea, Handelsbanken, ICA Banken and Swedbank have a simplified credentials solution where no additional smart cards or hardware is involved, unlike some other swedish banks who obviously doesn’t understand that the basic idea of using a phone is that it should be simple and reasonably fast.

Mitt Saldo use screen scraping techniques that enable users to store their credentials in the application instead and let the application authenticate with the existing web based internet bank.

How does authentication work?

It appears that both Nordea and Swedbank use the same platform for their internet banks because the authentication scheme is identical. Handelsbankens authentication scheme differs and is more sophisticated than Nordea and Swedbank. ICA Banken utilize Microsoft ASP.NET which requires some extra work for post-backs to work.

Nordea/Swedbank

Authentication for these two banks is more or less identical and very simple. There’s a login form, post credentials to that form, get a cookie back as proof of a successful authentication. There’s only one mechanism thrown in to complicate things. The login-form contains a hidden field named “_csrf_token” with a value that is generated every time the page is fetched using GET. Try it yourself: https://mobilbank.swedbank.se/banking/swedbank/login.html. To authenticate with Swedbank/Nordea you need to perform the following:

1. Fetch the login page using HTTP-GET.
2. Parse the _csrf_token value from the HTML-markup
3. Perfom HTTP-POST to the login page url containing parameters:
   _csrf_token = value parsed from initial GET-request
   xyz = Personnummer (SSN in english)
   zyx = Pin-code
4. Store the returned cookies (specifically JSESSIONID) and use for subsequent requests. The cookie is of course a session cookie.

That’s all! Both Nordea and Swedbank use XHTML-markup which is ideal for parsing out the interesting bits of information. However, Swedbanks pages doesn’t validate (shame on you)!.

Handelsbanken

As I was completing Mitt Saldo, Handelsbanken released their iPhone adapted webbank and I was expecting them to release a similar web-based iPhone app as the rest of the banks shortly after. My lovely girlfriend is a Handelsbanken customer so I decided to add support for Handelsbanken as well. It turned out that Handelsbanken made an effort with their application and released a real Cocoa-app. Kudos to them! Their application use a hidden web service API which I havn’t been able to (ab)use, unfortunately. Perhaps I can provide more details on that later. Instead Mitt Saldo use their existing iPhone-adapted web based application. The authentication scheme is much more sophisticated than Nordea/Swedbanks solution which made it quite a challenge to implement.

Cookies!!!
The goal of authenticating with Handelsbanken is to post credentials to their login page and keep the returned cookies. Just like Swedbank and Nordea, but with added complexity. The best way to investigate what happens is to start up Firefox and Firebug and look at the requests. Remember to clear out all cookies etc before you start. Point your brower to:

1. The initial request is redirected (302) to europe.ipx.com (IPX is a mobile platform from Ericsson) together with some parameters. Two cookies (MOBICOOKIE and DRUTT_DESERVER_SESSIONID) are also returned with the redirect which must be keept for subsequent requests.
2. europe.ipx.com issues a 302 redirect aswell back to m.handelsbanken.se

All requests to m.handelsbanken.se is redirected this way unless valid cookies are also passed along with the requests.

Handelsbanken has additional mechanisms for validating cookies against user-agent identifier. If you get ahold of the cookies using one user-agent string and try to use them in another request with a different user agent string the cookies are rejected with a redirect to europe.ipx.com as a result. This is important because UIWebView has a different user agent string depending on iOS version and NSURLRequest defaults user-agent to the name of your application. To be able to use the cookies retrieved using NSURLRequest in UIWebView you must make sure the NSURLRequest pass the exact same user-agent string as UIWebView for the specific phone.

Dynamic URLs!?
Another mechanism to make things problematic for evil people like me trying to automate things is that Handelsbanken constantly change some URLs and from time to time change others. The login-page which one would assume have a permanent URL doesn’t. It changes from time to time over time. When I started adding support for Handelsbanken the login page had this URL: https://m.handelsbanken.se/primary/_-iseufea5, this URL was used for at least a week or so. Now, about a month later when I’m in my summer house watching the rain outside, the URL is: https://m.handelsbanken.se/primary/_-iseV8jnn. The URL to the login page must be parsed from the startpage, pesky…

The URLs to the transfer page and accounts page change each each time you authenticate. If authentication is successfull the returned page contains a list of links to these pages and that must be parsed.

Very smart, Handelsbanken!

Authentication
To authenticate with Handelsbanken you need to do the following

1. Fetch https://m.handelsbanken.se using HTTP-GET
2. Follow the redirect (302) to europe.ipx.com. Keep the cookies returned with the redirect.
3. Follow the redirect back to m.handelsbanken.se (pass cookies from step 2).
4. Parse the response from m.handelsbanken.se, look for the login page url.
5. Perform a HTTP-POST request to the login url with the following parameters (pass cookies from step 2):
   username = Personnummer (SSN in english)
   pin = Pin-code
   execute = true (this is a hidden field, execute is always set to true),
6. The response, if successful, contains a list of links to the pages in the authenticated area.

A bit more work than Swedbank/Nordea and much slower since we need to request additional pages to get what we want, but nothing is impossible!

ICA Banken

ICA Banken was actually first in Sweden with an iPhone adapted web based internet bank, kudos! They have not released an application that work as a shortcut (like Swedbank/Nordea), unless they are really developing a real application they should! ICA Banken doesn’t present any sophisticated mechanisms to make screen-scraping harder the two challenges are:

1. The ASP.NET post-back mechanism require viewstate and eventvalidation parameters.
2. ICA Bankens HTML-pages are not XHTML compliant which in turn requires a slight modification before they can be parsed using the standard NSXMLParser.

Authentication

Authentication starts here: https://iphone.icabanken.se/login/login.aspx, it’s a straight forward page with two input fields named:

pnr_phone (SSN/Personnummer)

pwd_phone (password)

But as mentioned above, this is an ASP.NET solution. ASP.NET works differently than most platform because they utilize hidden fields to pass information between the server and the browser. It’s not possible to do a straight “POST”-request to the login page and just pass the parameters pnr_phone and pwd_phone, the hidden field values must be supplied as well. This is solved by making an initial GET-request to the login page and then parse all hidden fields and use them for the actual login post.

No XHTML, no UTF8?

Because the pages are not XHTML compilant and also not UTF8 encoded some special care must be taken to parse the returning pages. NSXMLParser doesn’t like the amp-signs (&) and they are not needed for the application anyways so I just remove them. To remove them I need the returned data in the form of NSString, this is  acomplised by “initWithData” and passing NSStringEncodingConversionAllowLossy instead of NSUTF8StringEncoding. After the &-signs are removed I convert the string back to UTF8-encoded NSData and parse it.

Transfer money / Single-sign-on

Transfering money is implemented using a standard UIWebView utilizing the existing functionality in each banks web based applications. This could of course be implemented using Cocoa instead of launching a browser but time is always a factor. To speed up the process of transfering money Mitt Saldo signs in automatically and the UIWebView uses the authentication cookies to directly access the transfer money page. NSURLRequest doesn’t automatically store cookies in the application cookie container but if cookies are placed in the cookie container UIWebView will automatically pick them up and use accordingly.

Source Code

Mitt Saldo v1.0 complete source code
Code summary:

Language	files	blank	comment	code
Objective-C	37	2331	1193	7850
C/C++ Header	43	573	782	1069
SUM	80	2904	1975	8919

*NOTICE* There is one difference between the posted source code and the app on AppStore. The bug that prevents the correct UITextBox to scroll into a visible state in the settings view is already fixed.

Related posts

• UIWebView user-agent weirdness and how to change user-agent value programmatically
• iPhone/iPad -- AppStore like UIScrollView with paging and preview
• iPhone/iPad -- Wait for asynchronous tasks to complete
• iPhone/iPad -- Get User-Agent for UIWebView