Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Security concerns with using Stripe checkout over Cordova

I'm looking into using Stripe.js for payment processing in a mobile web application wrapped in Cordova. According to the Stripe documentation all checkout pages should be served over https. Since Cordova will technically be serving these pages locally in a webview, are there any security concerns I should worry about?

Note: I will still be using https to submit the tokenized card details from Stripe to my remote API server to actually complete the charge.

like image 378
TyndieRock Avatar asked May 20 '14 20:05

TyndieRock


People also ask

Is Stripe Checkout deprecated?

Is Stripe checkout deprecated? Stripe will not be updating the Stripe Checkout modal to comply with Strong Customer Authentication (SCA) and as a result they no longer recommend using that integration.

Is https Checkout Stripe com safe?

We're a certified PCI Service Provider Level 1. This is the most stringent level of certification available in the payments industry. To accomplish this, we use the best-in-class security tools and practices to maintain a high level of security at Stripe.

Can you iframe Stripe Checkout?

Stripe Checkout is not supported in an iframe. It requires a full page redirect so you should not try to embed it in an iframe and instead redirect your customer to the Checkout page.

Can I embed Stripe Checkout on website?

Integrating Custom Payment Flow with StripeCustom payment flow allows you to embed a custom Stripe payment form into your website. Instead of the payment process going through to the Stripe website, the customer will stay on your website.


2 Answers

I'm an engineer at Stripe.

Cordova/PhoneGap isn't a platform we actively support with Stripe.js, but after talking it over with the team, we have two suggestions for how to mitigate potential vulnerabilities:

  1. Configure your Domain Whitelist sensibly, to limit the possibility of other scripts maliciously sending payment data to an untrusted third party. You should only need to add https://api.stripe.com to support communicating with Stripe.
  2. Always load the latest version of Stripe.js from our servers, per the Stripe.js documentation. This will ensure that you're always up-to-date with any bugfixes and patches we add to Stripe.js

Beyond that, I believe your exposure is similar to using Stripe.js in a normal webpage, loaded in-browser.

(I should note that I assume you're using Stripe.js and not Stripe Checkout—the latter would require the https://checkout.stripe.com domain to be added to the domain whitelist, as well.)

like image 181
James Reggio Avatar answered Nov 15 '22 20:11

James Reggio


I posted an answer related to this in a similar question. If you control a custom API, give it https protection and send your whole checkout form down into an iframe (source set to your API endpoint).

Then use a plugin like Cordova-HTTP for SSL pinning, and you should be more secure!

Original answer: Implement Stripe Payment Gateway in Cordova/Phonegap Application

like image 28
wswoodruff Avatar answered Nov 15 '22 21:11

wswoodruff