I am implementing a public mobile wallet application where user can add his own card, like Android Pay, or Samsung Pay on Android device.
The standard way how these applications are initially working is following:
- Open wallet app
- Tap on add new card
- Provide information like PAN and expiry date
- Validate against one time code
- Use the app for payment
Ther is initially no authentication so I assume that the application must be communicating to some public API.
So how are these APIs secured? I would like to avoid accessing the API by anyone to prevent DoS attacks and similar.
If the application contains some keys, then they are provided in a application package and can be restored by reverse engineering. When is the application initially installed from Google Play, how it can secure public API to not be accessible for everyone without user authentication before adding card data?