I'm building a flutter app where I will be taking a users' card details and tokenizing them. Currently, the API key for my payment provider is in the client app. The reason for this is to prevent having to send the credit card details to my server and then sending them to the payment provider. All in the name of PCI compliance.
It is however, ubiquitously stated, that you never want to store any API Keys in the client app which I understand. The question is, what's the best way to go about this? My instincts say to move the API key to the server, and just send the card details once for the tokenization. However, is this making the road to PCI compliance harder?
Any guidance on this would be appreciated.
Thanks
CodePudding user response:
you should implement a private/public key approach.. where server and client both have only one key so neither one or the other can do nothing if not paired.
or try to give a look to jwt token api validation
CodePudding user response:
Three things can be done here.
Use RemoteConfig to store all your config infos. And, store it in Flutter Secure Storage. Con: RemoteConfig is only fetched on App start.
Authenticate user first using JWT Token, then send the required data for user in the token itself. Con: User must be authenticated first to receive data.
Authorize the user with permissions. So, that both authentication and authorization are handled and nothing needs to be done without a key.
The #3 is the apporach we are using now. Of, course you can also use OpenIDConnect protocols to bring apps, servers and clients under one ecosystem too.
In all of these cases, the one holding the physical device will always have access to your servers after authenticated. Make sure to check for device id during the access. In the end, user can still fake all of this except for authorized details.