How can I allow a custom mobile application to interact with MultiChain?

+2 votes
My question is about how to have a mobile app interact with a Multichain blockchain.

I know that I can interact with a node using JSON-RPC calls, and I'm able to do this without any problems from localhost (I also understand how and why those RPC calls are restricted to localhost only)

I also know that I can create multiple addresses within a single node/wallet by calling getnewaddress, and by using dumpprivkey in my test environment I can see that each of those addresses has it's own private key stored within the node the address was created from - This is can essentially be used as the concept of multiple wallets within a single node.

One approach I can see, which I'm not convinced is the correct way to go (but could work) is to create an address for each user within one of the nodes, this would mean that node that was setup specifically to control input from the mobile apps would have access to all of the addresses (which in this case i'm treating as individual wallets)

I could put a custom service in-between (running on localhost where the node itself is) that will take requests from the app, and then call the relevant command, for the relevant address ("wallet" in this case). The custom service would then be responsible for controlling who can issue a command that affects which wallet, through some sort of user credential. This should allow me to have multiple distinct users interacting with a node via the additional service layer.

Some issues I see with this are that:

1. The service and node itself are both points of failure that if compromised, ALL users of the mobile app are compromised, as it contains the private keys for every single address.

2. The user doesn't have direct control of their private key because the node itself has this and the user is just authenticating with a username/password or some other mechanism with the service.

Using this in a purely private blockchain between multiple companies this approach could still allow each company to control it's users private keys - Each company would host it's own node and run it's own service in the middle (running locally on the node server), and the user would point the mobile app to the server defined by their company

I can't see off the top of my head a simpler way of achieving this, and if I wanted to ensure each user had control of their private key I would need to have each user run a server with their node and the service layer the app would talk to (The reason I think the service layer would still be needed here is that otherwise RPC would have to be allowed from outside of localhost, by having the service layer the app talks to on the same machine, the actual service layer talks to MultiChain via RPC from localhost, thus not needing to allow calls from anywhere else)

Hopefully I haven't totally missed something here, but if anybody could chime in and offer thoughts on this approach or potential pitfalls that would be appreciated.

I am not looking at exactly how the service layer will authenticate the users, but a username/password controlled by the custom service layer is just an easy example - I'm more interested in thoughts on the general approach of enabling mobile apps to interact.
asked Jul 1, 2016 by anonymous

1 Answer

0 votes

The right answer for this is to have keys generated and held on the end users' mobile wallets, rather than in the node. You can still use nodes to watch what is happening with particular addresses (using the importaddress API) but they won't be in control of the assets owned by those addresses.

We don't currently have an end-to-end solution for this, but you'll find a ton of bitcoin source code and wallets which can be easily adapted to work with MultiChain in this way (since the transaction format and digital signature scheme are identical).

answered Jul 1, 2016 by MultiChain
Will definitely take a look - In general how would mobile wallets submit the transaction to the blockchain? The signing of the transaction would take place on the device but as there is no central location/API to submit to it so it ultimately need to use a node to submit the signed transaction right?

If this is correct that the transaction is ultimately submitted for inclusion via a node is there a way in MultiChain to submit a signed transaction in it's raw format?
If the mobile wallet is behaving like a network node, it can submit it directly via the P2P protocol (see bitcoin SPV wallets for examples). Otherwise there's the sendrawtransaction API in MultiChain.