0

I have made an iPhone app for users to book hotel rooms. A third party provides the service for booking the hotel rooms and charging the credit cards. At the moment, my app makes no attempt to save credit card information. It simply sends the credit card info to the third party provider when the user wishes to book a room. But I would like to save the credit card info so that the user doesn't have to repeatedly type it in.

If I build a RESTful API that stores credit card data, is it prudent to secure this with OAuth rather than Basic Authentication? I could use OAuth provided by Google, Facebook, Twitter, etc so that users just "Sign in with whoever".

From a technical perspective, I have read that OAuth is more secure than Basic Authentication. Is this true?

It's worth mentioning that I will likely use Google App Engine for the backend. As App Engine has recently become PCI DSS compliant, this should be fine. And of course App Engine uses SSL. So I really only need to make sure that my app is authenticating properly, hence this question.

waynemystir
  • 323
  • 3
  • 11
  • "o I really only need to make sure that my app is authenticating properly" not so. you have to make sure a hacker cant read the credit cards even if he gets into your database. – Zig Mandel Oct 20 '15 at 13:12
  • Very good point @ZigMandel. I had assumed that a Google Cloud Datastore would implement its own encryption. But I don't know their internals. Is this something I should do on my own then? – waynemystir Oct 20 '15 at 14:19
  • you need to read quite a bit more about security before jumping to this task. think about all the machines you have saved your google password. think what happens if your google account gets hacked. its not relevant that datastore encripts the data. its trivially accesible to your hacked account. solve that. – Zig Mandel Oct 20 '15 at 14:23
  • Many thanks @ZigMandel. What if I further encrypted each record? For example, I could concatenate the unix time that the user last authenticated with some other information. Then I could hash that concatenated value with SHA-512 or MD5 or something. – waynemystir Oct 21 '15 at 14:16
  • its too broad to discuss here. hashing does not apply since you need to get back the cc number later, not just compare as in passwords. encription is fine but consider how to secure the encription key itself and how to properly encript (padding small data and such). for example, keep the encription key directly in the source and disable source downloading in appengine. then a hacker with access to your google account cant even get the key. – Zig Mandel Oct 21 '15 at 14:21
  • Thanks again @ZigMandel. I will research this. Regarding the original question, do you foresee an issue with authenticating with OAuth? Is this a better alternative to Basic Authentication, particularly for data as sensitive as credit card data? – waynemystir Oct 21 '15 at 14:32

0 Answers0