Backend Integration
Mobile client connected to the entire ecosystem.
We integrate mobile applications with ERP, WMS, CRM and other systems — via REST, GraphQL, WebSocket and legacy protocols.
Why Backend Integration Is Critical¶
A mobile app without backend integration is an isolated island. Value comes from connection — the mobile client reads data from ERP, writes to WMS, syncs with CRM, receives notifications from monitoring. Without quality integration, the mobile app is just a pretty form.
Integration is also the most common source of problems. Slow API, inconsistent contracts, missing error handling, security holes in authentication. We build an integration layer that is fast, secure and resilient to failure.
REST API¶
Standard for most mobile integrations. Simple, predictable, widely supported.
Designing APIs for Mobile Clients¶
Mobile clients have specific requirements that differ from web frontends:
- Minimal payload: Mobile networks are slow and expensive. No unnecessary fields, no nested objects the client doesn’t need. Sparse fieldsets (
?fields=id,name,status). - Pagination: Cursor-based pagination for stable paging when data changes. Offset-based for simpler cases. Page size optimized for mobile UI (20-50 items).
- Caching: ETag and Last-Modified headers. Conditional requests (
If-None-Match,If-Modified-Since). 304 Not Modified saves bandwidth. Cache-Control for explicit TTL. - Compression: Gzip/Brotli for response bodies. For binary data (images, documents) server-side resizing according to required resolution.
API Versioning¶
You can’t update mobile clients all at once — a user might have a version that’s months old. The API must support backward compatibility:
- URL versioning:
/api/v1/orders,/api/v2/orders. Clear, explicit. - Backward-compatible evolution: We add new fields, never remove old ones. Nullable new fields.
- Deprecation policy: Old API version works for at least 6 months. Sunset header informs the client. Analytics shows how many clients are using the old version.
OpenAPI Specification¶
API defined in OpenAPI (Swagger). From a single specification we generate:
- Client code: OpenAPI Generator for Swift and Kotlin — type-safe API client, no manual writing of the network layer
- Documentation: Automatically generated, always up to date
- Mock server: Frontend team develops against the mock API without waiting for the backend
- Contract tests: Verification that the implementation matches the specification
GraphQL¶
When the mobile client needs flexible queries — different screens need different data from the same entities.
When GraphQL Instead of REST¶
GraphQL solves two REST problems:
- Over-fetching: A REST endpoint returns the entire object, the client needs 3 of 20 fields. Mobile network transfers unnecessary data.
- Under-fetching: Order detail requires data from
/orders/{id},/customers/{id},/products/{ids}— three round trips. GraphQL resolves this in one query.
Apollo Client (iOS/Android) with normalized cache. Automatic data deduplication in cache — order detail and order list share the same data. Cache-first policy for instant response, network for updates.
Subscriptions for Real-time¶
GraphQL Subscriptions over WebSocket for real-time data:
- Live tracking (driver location on a map)
- Chat messages
- Status updates (order status changes → UI updates immediately)
- Collaborative features
WebSocket and Real-time Communication¶
For use cases where data flows in real time and polling isn’t enough.
Real-time Communication Architecture¶
Connection lifecycle: 1. Authentication via HTTP (OAuth token) 2. Upgrade to WebSocket with token 3. Heartbeat (ping/pong) for detecting dropped connections 4. Automatic reconnect with exponential backoff 5. Message queue for messages sent during reconnect
Socket.IO vs native WebSocket: Socket.IO adds automatic reconnect, room management, fallback to long-polling. Native WebSocket for lightweight scenarios. Choice depends on complexity.
Use Cases¶
- Live tracking: Driver shares GPS location every 5s. Dispatch sees position on map in real time. Geofencing for automatic notifications.
- Messaging: In-app chat, customer support. Typing indicators, read receipts, delivery status.
- Collaborative editing: Multiple users edit the same document. Operational Transform or CRDT for conflict-free sync.
- Live dashboards: KPI metrics updated in real time. Number of orders, revenue, alert status.
Authentication and Security¶
OAuth 2.0 + PKCE¶
Standard for mobile applications. Authorization Code flow with PKCE (Proof Key for Code Exchange) — more secure than Implicit flow, suitable for public clients (mobile apps can’t safely store client secrets).
Token management: - Access token: short-lived (15-60 minutes), in memory - Refresh token: long-lived, in secure storage (Keychain/Keystore) - Token refresh transparent for users — no repeated login - Biometric authentication for access to the refresh token
Communication Protection¶
- TLS 1.3: All communication encrypted
- Certificate pinning: App accepts only certificates with a specific public key. Protection against man-in-the-middle even when a CA is compromised
- Certificate rotation: Pinning with backup pin for smooth certificate rotation without app update
- Request signing: HMAC signature for critical operations (payments, approvals)
Secure Storage¶
Tokens, credentials and sensitive data never in plaintext:
- iOS: Keychain Services with kSecAttrAccessibleWhenUnlockedThisDeviceOnly
- Android: Android Keystore with hardware-backed keys (StrongBox on supported devices)
- Data encryption: AES-256 for local database with sensitive data
Error Handling and Resilience¶
Mobile networks are unreliable. Integration must be resilient:
- Retry policy: Exponential backoff for transient errors (timeout, 503). Idempotency key for safe retry of mutations.
- Circuit breaker: After repeated failures, circuit breaker stops requests and returns cached data. Recovery probe periodically checks whether the backend is back.
- Graceful degradation: If the backend is unavailable, the app works in offline mode. UI communicates state: “Offline — data may be out of date.”
- Timeout policy: Connect timeout 10s, read timeout 30s, write timeout 30s. Configurable per endpoint.
Technology Stack¶
Networking: URLSession (iOS), OkHttp/Retrofit (Android), Ktor (KMP), Apollo (GraphQL).
Serialization: Codable (Swift), kotlinx.serialization, Protocol Buffers, MessagePack.
Auth: AppAuth (OAuth 2.0 + PKCE), Keychain/Keystore, BiometricPrompt/LocalAuthentication.
Real-time: Socket.IO, Scarlet (Android), Starscream (iOS), native WebSocket.
API design: OpenAPI 3.1, GraphQL SDL, Postman/Insomnia, Pact (contract testing).
Časté otázky
REST for simple CRUD and stable contracts. GraphQL for complex UIs with many relations and variable data requirements. WebSocket for real-time communication. We often combine — REST for CRUD, WebSocket for live updates.
OAuth 2.0 with PKCE flow — the standard for native applications. Refresh token in secure storage (Keychain/Keystore). Biometric authentication for repeated access. Certificate pinning against man-in-the-middle.
Yes. SOAP, XML-RPC, proprietary protocols. We build an API gateway or middleware layer that wraps legacy systems with a modern API. The mobile client communicates only with clean REST/GraphQL.
URL versioning (/v1/, /v2/) for major changes. Backward-compatible evolution for minor changes. Deprecation policy: old version works for at least 6 months after releasing the new one. Feature flags for gradual rollout.