secure public facing wallet API accessed by mobile devices

Question

I am implementing a public mobile wallet application where user can add his own card, like Android Pay, or Samsung Pay on Android device.

The standard way how these applications are initially working is following:

Open wallet app
Tap on add new card
Provide information like PAN and expiry date
Validate against one time code
Use the app for payment

Ther is initially no authentication so I assume that the application must be communicating to some public API.

So how are these APIs secured? I would like to avoid accessing the API by anyone to prevent DoS attacks and similar.

If the application contains some keys, then they are provided in a application package and can be restored by reverse engineering. When is the application initially installed from Google Play, how it can secure public API to not be accessible for everyone without user authentication before adding card data?

Have you looked at any of the docs from Apple or Google about how they implement their payment services? — schroeder, Feb 26 '18 at 21:03
I was trying to find some information about it but it seems that this is not written anywhere... — user1563721, Feb 26 '18 at 21:05
"google pay api" returns: https://developers.google.com/android/reference/com/google/android/gms/wallet/package-summary — schroeder, Feb 26 '18 at 21:07
but there is no mention about securing their sommunication APIs — user1563721, Feb 26 '18 at 21:25
The initial API probably *is* public, and authenticated once an account is established. — David, Feb 26 '18 at 22:50

J.A.K. · Accepted Answer · 2018-03-29T23:21:29.633

I would like to avoid accessing the API by anyone to prevent DoS attacks and similar.

You need to negotiate a key to authenticate, so both the secure part and the part before that are exposed. The secure part only processes transactions if you're registered and have a token. Also DoS is not your main concern, people stealing the money are. DoS by unauthenticated users is mainly protected against on a network level.

If the application contains some keys, then they are provided in a application package and can be restored by reverse engineering.

Yes, that is why your payment token is not put in the application, just the identity of the payment server, and you can download a copy of the application without canging the key everytime. You will receive a token from the API. Your authentication will probably be done with asymmetric encryption and key negotiation schemes so you can safely agree to a key online. Look into Diffie-Hellman to get a feel for this.

I highly encourage you to use an external service (like Google / Apple pay) if authentication mechanisms are a new thing for you. It is very important that the money of the people using it is secure, and there's a lot that could go wrong.

secure public facing wallet API accessed by mobile devices

1 Answers1