Stripe payment gateway in android

Question

I am integrating Stripe in my android application. I have found two issues and I am stuck.

First (and major) issue is - I have got token key from the card information. But when I tried to make my first charge, it shows error in following line.

Stripe.apiKey = "sk_test_0000000000000";

I have googled also but couldn't find any solution.

Creating Stripe Customer - cannot resolve symbol apiKey

I have even seen this kind of question too. But I failed to understand its solution.

Following is my code for making charge:

    final String publishableApiKey = BuildConfig.DEBUG ?
            "pk_test_000000000000000000" :
            //"sk_test_00000000000000000000000" :
            getString(R.string.com_stripe_publishable_key);

    final TextView cardNumberField = (TextView) findViewById(R.id.cardNumber);
    final TextView monthField = (TextView) findViewById(R.id.month);
    final TextView yearField = (TextView) findViewById(R.id.year);
    TextView cvcField = (TextView) findViewById(R.id.cvc);

    Card card = new Card(cardNumberField.getText().toString(),
            Integer.valueOf(monthField.getText().toString()),
            Integer.valueOf(yearField.getText().toString()),
            cvcField.getText().toString());

    Stripe stripe = new Stripe();
    stripe.createToken(card, publishableApiKey, new TokenCallback() {
        public void onSuccess(Token token) {
            // TODO: Send Token information to your backend to initiate a charge
            Toast.makeText(
                    getApplicationContext(),
                    "Charge Token created: " + token.getId(),
                    Toast.LENGTH_LONG).show();


            /*make a charge starts*/

            // Set your secret key: remember to change this to your live secret key in production
            // Create the charge on Stripe's servers - this will charge the user's card
            Stripe.apiKey = "sk_test_0000000000000000000000";
            try {
                Map<String, Object> chargeParams = new HashMap<String, Object>();
                chargeParams.put("amount", 100); // amount in cents, again
                chargeParams.put("currency", "usd");
                chargeParams.put("source", token.getId());
                chargeParams.put("description", "Example charge");

                Charge charge = Charge.create(chargeParams);
                System.out.println("Charge Log :" + charge);
            } catch (CardException e) {
                // The card has been declined
            } catch (APIException e) {
                e.printStackTrace();
            } catch (AuthenticationException e) {
                e.printStackTrace();
            } catch (InvalidRequestException e) {
                e.printStackTrace();
            } catch (APIConnectionException e) {
                e.printStackTrace();
            }

            /*charge ends*/
        }

I have tried these code from different examples. I followed Stripe doc too.

But I got this error:

com.stripe.exception.AuthenticationException: No API key provided. (HINT: set your API key using 'Stripe.apiKey = '.

Second Issue is - about validation. If I am entering my own card details, and if I write wrong cvv number. It still generates token key.

I have already implemented validation of fields using Stripe's official doc. I don't know how to validate it with real time data.

Solution for the First Issue:

 com.stripe.Stripe.apiKey = "sk_test_xxxxxxxxxxxxxxxxxxx";
                        try {
                            final Map<String, Object> chargeParams = new HashMap<String, Object>();
                            chargeParams.put("amount", 500); // amount in cents, again
                            chargeParams.put("currency", "usd");
                            chargeParams.put("source", token.getId());
                            chargeParams.put("description", "Example charge");
                            new Thread(new Runnable() {
                                @Override
                                public void run() {
                                    Charge charge = null;
                                    try {
                                        charge = Charge.create(chargeParams);
                                    } catch (AuthenticationException e) {
                                        e.printStackTrace();
                                    } catch (InvalidRequestException e) {
                                        e.printStackTrace();
                                    } catch (APIConnectionException e) {
                                        e.printStackTrace();
                                    } catch (CardException e) {
                                        e.printStackTrace();
                                    } catch (APIException e) {
                                        e.printStackTrace();
                                    }
                                    System.out.println("Charge Log :" + charge);
                                }
                            }).start();

                        } catch (Exception e) {
                            e.printStackTrace();
                        }

Answer 1

Stripe's Android bindings only let you tokenize card information. Once the token has been created, it must be sent to an external server where you can use it in API requests.

You cannot use the token directly from the app as the app must never have access to your secret key, where it could easily be extracted by an attacker who would then have access to your account.

Re. your second question, the card isn't validated with the bank when the token is created (there are still some basic sanity checks, such as checking the number of digits, the fact that the expiry date is in the future, etc.). It is only when you use the token in a server-side API request that the card will be checked with the bank.