In the modern era of transportation in urban environment, optimization of traffic is crucial. In the context of Smart Cities, Mobility as a Service (MaaS) is a revolutionary paradigm that offers integrated solutions to enhance urban mobility. The general goal is to develop a single digital hub that allows users to plan, book, and pay for their journeys, as well as gather data about public transport, their occupation, traffic, and other alternative modes of transportation (like e-mobility solutions, car sharing, bike sharing, etc.). In this context, security and privacy of data and infrastructures, are still open issues that may limit full adoption of these applications. In this paper, we propose a reference architecture to improve security in MaaS platforms. We present the initial design process to understand the requirements needed to cover all the characteristics of a MaaS system that defines a reference architecture; later, security analysis will be performed with a risk-based and threats-based approach. Finally, as a Proof of Concept, we will present an implementation of a case study to validate the security of the proposed solution suitable for a secure distributed MaaS application.