处理信用卡和IOS
[英]Handling credit cards and IOS
问题描述
I am using NSUrlConnection asyncronous request to transmit credit card information to a secure third party server. 
我正在使用NSUrlConnection异步请求将信用卡信息传输到安全的第三方服务器。
I do the following: 我执行以下操作:
- I get the credit card number, cvv, etc from the uitextfields. 我从uitextfields中获得了信用卡号,cvv等。
Encode the credit card information into a json format.
将信用卡信息编码为json格式。 Set as httpd body of the NSURLConnectionrequest as follows:设置为NSURLConnection请求的httpd正文,如下所示:NSDictionary * params = @{"creditCardNumber": @"4242....", @"cvv": @"455".... NSURL * url = [[NSURL URLWithString: "https://www.example.com"]; NSMutableURLRequest * request = [[NSMutableURLRequest alloc] initWithURL: url]; [request setHTTPMethod: @"POST"]; [request setValue:@"application/json" forHTTPHeaderField:@"Accept"]; [request setValue:@"application/json" forHTTPHeaderField:@"Content-Type"]; [request setHTTPBody: [NSJSONSerialization dataWithJSONObject: params options: kNilOptions error: &parseError]];Send this information via asynchronous request to a secure third party server:
通过异步请求将此信息发送到安全的第三方服务器: [NSURLConnection sendAsynchronousRequest:request queue: queue completionHandler:^(NSURLResponse *response, NSData *data, NSError * requestError) {
What should I be considering to send user credit card information to a third party server using nsurlconnection asynchronous request? 我应该考虑使用nsurlconnection异步请求将用户信用卡信息发送到第三方服务器吗?
Is this the right way to send credit card information from a mobile app? 这是从移动应用程序发送信用卡信息的正确方法吗?
What can I do to prevent man in the middle attack? 我该怎么做才能防止人在中间攻击?
3 个解决方案
解决方案1
2 已采纳 2013-10-21 03:56:10
Depending on what you are doing you may need to comply with a standard like PCI, PADSS, etc. 根据您的工作,可能需要遵守PCI,PADSS等标准。
Besides communicating over HTTPS, the general flow of hardening against man-in-the-middle attacks involves: 除了通过HTTPS进行通信之外,针对中间人攻击的强化一般流程还包括:
- Do not store any details on the device. 不要在设备上存储任何详细信息。 Storing in RAM is ok. 可以在RAM中存储。
- The back-end instruct you to use one of many pre-fetched public encryption keys. 后端指示您使用许多预提取的公共加密密钥之一。 Each key is associated with an id. 每个密钥都与一个ID相关联。 You will fetch the key that it instructs you to use from your local store. 您将从本地商店获取指示您使用的密钥。 You will create a hash of your deta using that key. 您将使用该密钥创建deta的哈希。 And then send to the back-end. 然后发送到后端。
For encryption, I recommend checking out the CoocaSecurity project. 对于加密,我建议签出CoocaSecurity项目。 It wraps some of the lower level APIs making them easier to "digest" (excuse the pun). 它包装了一些较低级别的API,使它们更容易被“消化”(例如,双关语)。
解决方案2
0 2013-10-20 21:55:33
Your request looks good, just make sure you are accessing via https and not http. 您的请求看起来不错,只需确保您通过https而非http访问即可。 This means your server must support https 这意味着您的服务器必须支持https
解决方案3
0 2013-10-20 23:07:45
Assuming you have some king of secure authentication scheme in place for your web service, you've at least cleared the basics. 假设您已经为Web服务制定了某种安全认证方案之王,那么您至少已经清除了基础知识。 Your biggest weakness is HTTPS. 您最大的弱点是HTTPS。 Especially in the mobile world, HTTPS is easily penetrated. 特别是在移动世界中,HTTPS很容易被渗透。 I know that sounds a bit paranoid, but you have to think that way to stay ahead. 我知道这听起来有点偏执,但是您必须以这种方式保持领先。
The next step would be apply an additional level of encryption to the payload of the request. 下一步将对请求的有效负载应用额外的加密级别。 Blowfish would be a simple and easy way to encrypt the payload. 河豚将是一种加密有效载荷的简单方法。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.