简体繁体 English

在应用程序中保护信用卡交易

[英]Secure Credit Card transactions in app

原文 2012-08-17 12:52:23 6 2 android/ security/ credit-card

I want to be able to sell products (via credit card) to people using my app. 我希望能够（使用信用卡）向使用我的应用的用户销售产品。 It's easy enough to put some EditTexts in and get them to give me their details but the issue is security of course. 放入一些EditText并使其详细信息很容易，但是问题当然是安全性。 What is a good way to go about doing secure credit card transactions in app? 在应用中进行安全的信用卡交易的最佳方法是什么？

My Big Concern - Someone else makes a fake app that looks the same, with the same icon and app name and gets potential users to download their fake app and steal their credit card information. 我的大关注点 -有人制作了一个外观相同，图标和应用名称相同的假应用，并吸引潜在用户下载其假应用并窃取其信用卡信息。 (Can people maybe even have the same developer account name?) （人们甚至可以使用相同的开发者帐户名称吗？）

What I know so far - The package names of apps served off Google Play are unique so a user could identify if the package name is not what it should be. 到目前为止，我所知道的-Google Play提供的应用程序的软件包名称是唯一的，因此用户可以识别软件包名称是否与实际名称不符。 This isn't a good solution for the typical user though. 对于一般用户而言，这不是一个好的解决方案。

I'm not planning on storing the credit card details or anything. 我不打算存储信用卡详细信息或其他任何信息。 I just want to be able to do once-off card transactions securely. 我只希望能够安全地进行一次性信用卡交易。 Any advice would be super welcome and receive much upvoting. 任何建议都将受到极大欢迎，并会收到很多反对。

2 个解决方案

All you need to do is be able to work with Authorize.Net's, or any payment gateways, API to make payment. 您需要做的就是能够与Authorize.Net或任何付款网关的API配合使用进行付款。

Authorize.Net - Android SDK Authorize.Net- Android SDK

Boku Mobile Billing Boku行动帐单

Since you stated that you would be selling products to users using your apps I'm assuming you will have the user details stored somewhere in a database yea? 既然您说过将使用您的应用程序向用户销售产品，我假设您会将用户详细信息存储在数据库中，是吗？ Moreover, you will have some sort of authentication using a username and a password so this means that even if someone else makes the exact same app as you did they will not have the user's username and password (assuming you hash your usernames and their passwords) or the real name of the user which he/she provided during sign-up into your app. 此外，您将使用用户名和密码进行某种身份验证，因此这意味着即使其他人使用与您完全相同的应用，他们也不会拥有用户的用户名和密码（假设您对用户名和密码进行了哈希处理）或他/她在注册到您的应用期间提供的用户的真实姓名。 Even if the hackers are smart and just use a dummy login page, ie irrespective of the username and password entered you are logged in I'm sure users will be wary if they don't see a message saying "Hi X (real name of the user)" when they sign into your app (provided you have some functionality where you display the user's real name when they are signed into the app, this is pretty easy to implement). 即使黑客很聪明，只是使用一个虚拟的登录页面，即不管输入的用户名和密码如何，您都可以登录。我敢肯定，如果用户看不到“ Hi X（真实姓名为用户）”（前提是您具有一些功能，可以在用户登录应用时显示其真实姓名，因此非常容易实现）。 Having said all this, I haven't heard of a case where someone duplicated an entire app (which is no mean feat if you make a sophisticated app) simply to steal user's information. 说了这么多，我还没有听说有人复制整个应用程序（如果您制作复杂的应用程序，这绝非易事）只是为了窃取用户信息。

Regarding the issue of securely accepting credit card information from users and charging it, one of the most trusted, industry-accepted and secure way of accepting user details is using Stripe.com . 关于安全地接受用户的信用卡信息并对其收费的问题， Stripe.com是接受用户详细信息的最受信任，行业认可和安全的方法之一。 What's more is that they have a nice RESTful API through which you can make calls and charge the requisite amount from a user's credit card in the safest manner possible. 更重要的是，它们具有良好的RESTful API，您可以通过它以最安全的方式拨打电话并从用户的信用卡中收取必要的费用。 The advantage of this is that you don't have to store the credit card information anywhere and simply use it once to make a call to the Stripe API (which is available in Java btw). 这样做的好处是您不必将信用卡信息存储在任何地方，只需使用一次即可调用Stripe API（Java btw中提供）。