Security concerns with using Stripe checkout over Cordova

Question

I'm looking into using Stripe.js for payment processing in a mobile web application wrapped in Cordova. According to the Stripe documentation all checkout pages should be served over https. Since Cordova will technically be serving these pages locally in a webview, are there any security concerns I should worry about?

Note: I will still be using https to submit the tokenized card details from Stripe to my remote API server to actually complete the charge.

Answer 1

I'm an engineer at Stripe.

Cordova/PhoneGap isn't a platform we actively support with Stripe.js, but after talking it over with the team, we have two suggestions for how to mitigate potential vulnerabilities:

1. Configure your Domain Whitelist sensibly, to limit the possibility of other scripts maliciously sending payment data to an untrusted third party. You should only need to add https://api.stripe.com to support communicating with Stripe.
2. Always load the latest version of Stripe.js from our servers, per the Stripe.js documentation. This will ensure that you're always up-to-date with any bugfixes and patches we add to Stripe.js

Beyond that, I believe your exposure is similar to using Stripe.js in a normal webpage, loaded in-browser.

(I should note that I assume you're using Stripe.js and not Stripe Checkout—the latter would require the https://checkout.stripe.com domain to be added to the domain whitelist, as well.)

Answer 2

I posted an answer related to this in a similar question. If you control a custom API, give it https protection and send your whole checkout form down into an iframe (source set to your API endpoint).

Then use a plugin like Cordova-HTTP for SSL pinning, and you should be more secure!

Original answer: Implement Stripe Payment Gateway in Cordova/Phonegap Application