Secure Mobile Financial Services
SB Finance
SohojBank is a fully functional mobile financial services (MFS) prototype built for a client to demonstrate core banking capabilities to potential investors. The app handles real transactional logic — Send Money, Cash Out, Add Money, balance management, and transaction history — all secured with JWT authentication and bcrypt-encrypted credentials. The goal was to deliver a polished, investor-ready product that proves the technical viability of the platform before committing to a full-scale launch.
Client
smart tech
Link
Industry
FinTech & Mobile Banking
Scope of work
Security Architecture
API Design
Full-Stack Development
Problem
The client needed a working prototype — not wireframes, not mockups — a fully functional MFS application that investors could interact with live during pitch meetings. The prototype had to demonstrate that the core banking logic (account creation, money transfers, balance deductions, transaction logging) was technically sound and secure enough to build a production platform on top of. Off-the-shelf demo tools couldn't replicate the complexity of real financial transactions with proper validation, atomic operations, and secure session management. The solution had to be built from scratch, fast, and investor-presentable from day one.
Challange
Building a financial application — even a prototype — demands production-level thinking around security and data integrity. Every money transfer operation needed to be atomic: if a Send Money request deducts from Account A, the corresponding credit to Account B must either both succeed or both fail — partial transactions are not acceptable. Session hijacking, brute-force login attempts, and unauthorized API access had to be addressed from the start, not patched later. On the frontend side, the interface needed to feel like a real banking app — clean, trustworthy, and responsive — because investors judge the product by what they see. Balancing speed of delivery with the rigor expected of financial software was the central challenge.
Solution
The application was built with Angular 19 on the frontend and Node.js + Express.js on the backend, with SQLite as the database layer — chosen deliberately for portability and zero-config deployment during investor demos. Key technical decisions: → JWT-based authentication with token expiry and refresh logic. Every protected API endpoint validates the token before processing — no session stored server-side, making the system stateless and scalable. → bcrypt password hashing with configurable salt rounds, ensuring credentials are never stored in plaintext. Registration and login flows include input sanitization and rate limiting to defend against brute-force and injection attacks. → Atomic transaction processing for all money operations — Send Money, Cash Out, and Add Money are wrapped in database transactions. If any step fails (insufficient balance, invalid recipient, network error), the entire operation rolls back cleanly with no partial state. → RESTful API design with clearly separated routes for auth, accounts, and transactions. Each endpoint enforces role-based validation and input schema checks before touching the database. → Real-time balance updates and paginated transaction history — every transfer, cash-out, and deposit is logged with timestamps, amounts, counterparty details, and status flags for full auditability. → Responsive Angular frontend styled for mobile-first interaction — services grid (Add Money, Send Money, Cash Out), live balance display, and a transaction feed that mirrors what users expect from production banking apps like bKash or Nagad. The result was a prototype that didn't feel like a prototype. The client used it in three investor meetings, and the security architecture and transaction logic held up under live scrutiny — which was exactly the point.
