Security Issue: Should not include private Stripe Key client side
Opened this issue · 5 comments
This plugin has the developer including their private Stripe API key client side, this means anyone could download an APK that uses this plugin, peer into it and see the api key in plain text.
What does that mean? At a minimum they can use one's Stripe account to test cards, refund someone's charges, cause callbacks, and other bad things.
This should be fixed ASAP
This key disclosure is particularly insidious, because once you know your keys have been leaked, your story for how to roll them is quite bad. Rolling your keys is going to require all released copies of the app to be updated, which would be painful.
At a bare minimum, the fix here needs to be to move the part of the application which creates charges to a server-side component. The only interaction the app itself should have with stripe is to create card tokens.
The problem becomes that any app which relies on the currently presented interface (ie: trusting the client to do billing) is going to be susceptible to all sorts of hilarity. (To use the simplest possible example, you could just patch the app, and comment out the bit that bills the user. Admittedly, you'd need to jailbreak your iOS device / mod your android device to do so.) Unfortunately, I get the sense that there's no way of really fixing this without substantial rework of the applications that use this plugin.
I have now come across two Cordova apps that have had the Stripe secret key embedded due to this plugin. I don't think it is made clear enough in the documentation - this should not be used for normal client applications.
Can you send a PR for the readme perhaps?
Btw, it's being worked on, I'll ask what the status is.
Done.
Hi!
Has this issue been resolved?
Is the plugin still not secure?
I need to use Stripe in a Cordova based app.
If this is not secure, could you please recommend what should I be using?
Greatly appreciate any help!
Thanks!