Judopay Documentation

Securing your Mobile App

To build a secure mobile app:

Android: Values placed in strings .xml are stored in clear text.

This is extremely vulnerable from a security perspective.

iOS: Best practice is to store credentials in the Keychain.

This is stored securely and only available to the app vendors.

Your Credentials

Your Judopay credentials allow you to perform transactions, so it is vitally important you protect them from falling into the wrong hands.

In general, it is relatively easy to decompile an app and get at the source code. 

When embedding your credentials and hard coded strings into the app, they can be easily extracted, so we recommend not to directly paste in your credentials.

Judo judo = new Judo.Builder()
    .setApiToken("xxxxxxxxxxxxxxxxxx")
    .setApiSecret("xxxxxxxxx")
    .setEnvironment(Judo.SANDBOX)
    .build();

We recommend you define a set of variables in an unrelated part of the application and pass the variables into the initialization.

The variable names will be obfuscated (assuming you use an obfuscation tool):

Judo judo = new Judo.Builder()
    .setApiToken(token)
    .setApiSecret(secret)
    .setEnvironment(Judo.SANDBOX)
    .build();

To further enhance security, we recommend:

  • You define several variables for both the token and secret. 

  • Split these values into several parts, helping the obfuscation process.

This results in making it harder for a human to understand the importance of the variables. 

It is also recommended to define the variables in various locations in your app, to make it as hard as possible to piece together.

var tokenPart1 = "xxxxxxxx";
var tokenPart2 = "xxxxxxxxxxxxx";
var tokenPart3 = "xxxxxxx";
var secretPart1 = "xxxxxxxxxxxxx";
var secretPart2 = "xxxxxxx";
initialiseJudo(tokenPart1 + tokenPart2 + tokenPart3, secretPart1 + secretPart2)

Code Security

Code obfuscation is the act of making source code difficult for a human to read.

Whilst it is not impossible to reverse engineer obfuscated code, the goal is to make it difficult or economically unfeasible.

Android

We recommend all Android apps are obfuscated.

In your app:

  • Go to the build.gradle file 

  • Add: minifyEnabled true

  • Enable default file: proguardFiles getDefaultProguardFile(‘proguard-android.txt’) 

iOS

Generally iOS apps are well protected, as the code is compiled into machine code before the app is released to the Apple App Store.

Machine code contains less meta-data around the code, making decompilation significantly harder, therefore code obfuscation is not usually required.

Communicating with your Server

In line with industry best practice, we recommend you use TLS 1.2 for all communications between your app and your server.

It is possible for a hacker to override the CA certificate of a device and therefore intercept communications on the device. 

In order to prevent this type of man-in-the-middle attack, we recommend using certificate pinning.

Android

We recommend using the OkHttp and Retrofit libraries for communicating with your server.

This simplifies the networking layer of your app and supports SSL pinning out of the box. 

To enable SSL pinning, provide the certificate details when constructing the OkHttp instance:

OkHttpClient client = new OkHttpClient.Builder(
        .certificatePinner(new CertificatePinner.Builder()
               .add("example.com", "sha256/afwiKY3RxoMmLkuRW1l7QsPZTJPwDS2pdDROQjXw8ig=")
               .build())
        .build();

iOS

Example of iOS SSL pinning:

API Application Permissions

For security, only enable the absolute minimum permissions required for your mobile app and your backend. 

Follow the Set Permissions instructions to ensure you are set up correctly.

 

Security Updates

Platform libraries are updated every few weeks, we recommend that you monitor these releases for major security updates:

  • https://developers.google.com/android/guides/releases

  • https://security.googleblog.com/

  • https://support.apple.com/en-gb/HT201222

We recommend you publish a new version of your app after each major security release, or at least once every 6 months.

Updating the Judopay SDK is also recommended on the same schedule – we will update our code based on latest security updates, so it is important that you stay up to date.

Follow the setup instructions for integrating the latest mobile SDKs:

  • Android

  • iOS Swift

  • iOS Objective-C

Additional Steps

  • App Permissions on Android Devices 

    The Judopay SDKs do not require any specific permissions, but if you enable certain permissions on Android we are able to extract more information from the device to use in fraud detection and prevention.

    In the Android manifest, add the read phone state permission:

<uses-permission android:name="android.permission.READ_PHONE_STATE" />

  • PCI-DSS Scope - Building your UI

    If you are building your own app checkout UI, you are handling card details and will fall within the full scope of the PCI-DSS compliance rules.