I am working on a mobile ticketing application. The system allows users to pay for goods using a third-party api (CardIO), storing all the information on my server, sitting happily in the cloud.
The problem boils down to: Since (1) the payment process takes place completely on the phone, and (2) there is no API that allows my server to check with the payment processor that the payment has really arrived, Iβm wondering what is the best way to verify that the user really paid per item before marking it as paid in my database on my server.
You see, a user can make my api calls manually, log in to his account, and then send a command to my server to mark the purchase as paid, without paying for it.
So, the question is: How can I confirm that the payment occurred either on my server, or through some kind of handshake or encryption using a mobile application?
My current approach: I send the plaintext information needed when calling SSL (HTTPS) to the server. Along with this, I send a hash of this string and check, using the same algorithm on my server, that the sent string matches the hash. The idea is that I could use some secret key to generate this hash, and then check that the plain text matches the hash on the server, and also so that nothing changes. My problem with this solution is that I donβt think itβs really safe ... Someone can quite easily hack the algorithm because they are given encryption and plain text.
Thanks for watching!
Stephen
android security php design-patterns web-services
Stephen
source share