I'm looking for most secure algorithm/protocol to safely authorize actions done via mobile app.
Let's say I'm developing a system that requires user authorisation of certain actions. You can think of it as "banking platform". Let's say there are two ways of accessing the platform: web via normal browser and mobile via app on a smartphone.
One-time tokens and SMS codes are good for the web frontend - when it's separated from the device generating tokens / receiving SMS. But how can I assure security the mobile that's almost certainly used to receive SMS or generates tokens? More secure would be to ask for password. How can I patch this obvious security hole?
Youre probably interested in the PCI guidelines for mobile payment. Read this: https://www.pcisecuritystandards.org/documents/Mobile%20Payment%20Security%20Guidelines%20v1%200.pdf