Is there a way to encrypt a form data from react native that can be decrypted on the server side with PHP?
I’m currently developing an app with Expo that will deal with credit cards and the payment processing company I intend to use doesn’t offer any tokenizations on the client side. Therefore, I have to offer some kind of encryption at the app level in order to be PCI compliant.
Will it be possible to use Crypto with Expo? Or maybe base64?
Thanks for your help!
Please note: Base64 is absolutely not encryption.
I don’t have any experience with PCI but maybe one of these links will help.
Just bear in mind that you don’t want to use anything that requires you to store a password in the app where someone could extract it, so I imagine asymmetric/public key crypto is probably what you’re looking for.
But isn’t https sufficient?
My hope was that I could offer https + base64 to get our PCI level 1.
Apparently, SSL is not sufficient or secure enough when it comes to sending credit card details. That’s probably why Stripe and some others are suggesting tokenizing on the client side.
Back to base64, the idea was to use a unique key to generate an encoded string of the credit card info.
What about Crypto (https://www.npmjs.com/package/crypto-js)? Can I implement it with Expo?
My concern is that base64 has nothing to do with encryption. After something is encrypted it can be base64 encoded to turn it into text instead of binary data, but the base64 encoding is not encryption.
I think it should be possible to use cyrpto-js in an Expo app, but it looks like it implements only (symmetric) AES encryption, and so it seems it would need you to hard code a password in your app. Someone would be able to extract the password from your app. See the “secret key 123” below.
var ciphertext = CryptoJS.AES.encrypt('my message', 'secret key 123');
What if I fetch the unique secret key from the users database? The risk here is to expose the raw data and have someone intercept the communication between the app and our server, right? Even if that someone breaks into the app and he (or she - let’s not roll out that gender will ya) will have to know the secret key that is stored in our database in order to do what…? We are not even storing the credit card details anyway. Right?
Will that solution work with Expo?
I think that guy may be right (comment found on stackoverflow):
The easiest fix to all these problems is to avoid having to implement any cryptography yourself (it is strongly discouraged anyway without a wide knowledge of the subject). Can you instead transmit your sensitive information over https which will use TLS (formerly called SSL) to encrypt and authenticate the channel?
That stackoverflow comment is what I meant by “isn’t https sufficient”.
This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.