Session Keys for Simplified Approvals in Mobile Crypto App

TRUETECH is engaged in the development, support and maintenance of iOS, Android, PWA mobile applications. We have extensive experience and expertise in publishing mobile applications in popular markets like Google Play, App Store, Amazon, AppGallery and others.
8+Years of work900+Completed projects100+In house employees19+Partners
Development and support of all types of mobile applications:
Information and entertainment mobile applications
News apps, games, reference guides, online catalogs, weather apps, fitness and health apps, travel apps, educational apps, social networks and messengers, quizzes, blogs and podcasts, forums, aggregators
E-commerce mobile applications
Online stores, B2B apps, marketplaces, online exchanges, cashback services, exchanges, dropshipping platforms, loyalty programs, food and goods delivery, payment systems.
Business process management mobile applications
CRM systems, ERP systems, project management, sales team tools, financial management, production management, logistics and delivery management, HR management, data monitoring systems
Electronic services mobile applications
Classified ads platforms, online schools, online cinemas, electronic service platforms, cashback platforms, video hosting, thematic portals, online booking and scheduling platforms, online trading platforms

These are just some of the types of mobile applications we work with, and each of them may have its own specific features and functionality, tailored to the specific needs and goals of the client.

Offered services
Showing 1 of 1 servicesAll 1735 services
Session Keys for Simplified Approvals in Mobile Crypto App
Complex
~3-5 business days
FAQ
Our competencies:
Development stages
Latest works
  • image_mobile-applications_feedme_467_0.webp
    Development of a mobile application for FEEDME
    756
  • image_mobile-applications_xoomer_471_0.webp
    Development of a mobile application for XOOMER
    624
  • image_mobile-applications_rhl_428_0.webp
    Development of a mobile application for RHL
    1054
  • image_mobile-applications_zippy_411_0.webp
    Development of a mobile application for ZIPPY
    947
  • image_mobile-applications_affhome_429_0.webp
    Development of a mobile application for Affhome
    862
  • image_mobile-applications_flavors_409_0.webp
    Development of a mobile application for the FLAVORS company
    445
Show more works

Implementing Session Keys for Mobile Crypto App

Signing every transaction with main key + biometry — correct but unbearable in games, DeFi sessions, payment streaming. Session Keys solve this: temporary limited-rights key with TTL signs transactions without confirmation until expiration or limit reached.

Architecture: ERC-4337 + EIP-7715

Session Keys implemented at smart account level (Account Abstraction). Mobile works with userop instead of direct transactions. Stack:

  • permissionless.js or @zerodev/sdk for smart account creation
  • @zerodev/session-key for session management
  • Bundler (Pimlico, Stackup) for UserOperation sending

Session key — ephemeral keypair (secp256k1) generated on device. Private part stored in Keychain/KeyStore. Public key + permissions policy registered in smart contract via enableSessionKey UserOperation, signed by main key (once, with biometry).

Permission Policy

Session key not all-powerful — this is main advantage. Policy fixes:

const sessionKeyData = await kernelClient.createSessionKey({
  sessionKey: sessionKeyWalletClient,
  validAfter: Math.floor(Date.now() / 1000),
  validUntil: Math.floor(Date.now() / 1000) + 3600, // 1 hour
  permissions: [
    {
      target: GAME_CONTRACT_ADDRESS,
      functionName: "playRound",
      valueLimit: parseEther("0.01"), // max 0.01 ETH per transaction
    }
  ]
})

Contract rejects any UserOperation exceeding policy. Even if session key compromised — attacker can't withdraw all funds.

Storage and Lifecycle on Mobile

Session private key lives in Keychain with kSecAttrAccessibleWhenUnlockedThisDeviceOnly — no biometry needed because it's policy-limited. Session TTL displayed: "Session active 45 min of 60". Manual revoke — via revokeSessionKey UserOperation, signed by main key.

On app close session key in memory zeroed, but in Keychain remains until TTL expires or explicit revoke.

Important Considerations

Bundler fees: UserOperation via Bundler costs gas. For frequent transaction sessions use Paymaster — smart contract paying gas for user. Integration with Pimlico Verifying Paymaster or Biconomy — standard task.

Can't create session key without internet — need to send enableSessionKey to network. Cache sessionKeyData locally and reuse until TTL expires without network request.

Timeline — 3–5 days: ERC-4337 smart account (if missing), session keypair, permission policy, Bundler/Paymaster integration, session management UI. If smart account exists — 2–3 days.