Using Spreedly from Mobile

Developing a native mobile app that collects sensitive payment information requires some forethought. Please read the following to determine the best approach for your app.

Security considerations

Developing a mobile app that securely accepts sensitive credit card information is non-trivial. By their very nature, mobile devices are insecure since they can be jail-broken, brute-force attacked and generally compromised by their possesor with no ability by the app maintainer to detect intrusions. Because of this limitation, any data stored on the device should be considered to be open to compromise and no secret or password values should be stored by your mobile app, which does include your Spreedly access secret.

Not having access to your Spreedly access secret on the mobile device forces you to work within the following constraints:

  • Any payment method added from mobile will be in the cached state, meaning it can be transacted against immediately, but will be purged and made inactive after some short amount of time (minutes, not hours). Be sure to retain any payment method you want to save for future (recurring) use.
  • Any request to process a payment cannot be sent directly from the mobile app since these API calls require an access secret. Instead, the token of the added payment method must be sent to your server backend, where you can execute a transaction against the Spreedly API. Almost all mobile apps require some form of a supporting API, so this is less a burden and more of a procedural detail.

With these constraints in mind, and depending on your mobile platform, you can choose how to implement payment collection from your mobile app.

Approaches

If you want to… then use… which…
Use a web view within your mobile app Spreedly Express or the iFrame payment form are mobile compatible, browser-based, approaches to collecting payment information
Implement native iOS card collection workflow the native iOS SDK to collect payment information lets you submit payment information directly to Spreedly from your Objective-C/Swift app
Integrate an Andriod app Spreedly Express or the iFrame payment form in lieu of a native Android SDK, are mobile compatible, browser-based, approaches to collecting payment information