3

I am developing a cross platform app that can handle payments, the online payment service issued a certificate for my use, thus I have a .pem certificate and within it there is 2 actual certificates and my private key.

The problem is that I can't seem t find how to use it safely, as it has to go in the requests to the web service of the online payment service, therefore I have to include it in my mobile app package, but if anybody opens the package he or she will instantly have access to the private key.

How can I manage this situation? Should I just include it and forget about it as anyway an attacker will have to have valid credit card numbers, or should I create an intermediate web service that can add the certificate?

gnat
  • 21,442
  • 29
  • 112
  • 288
NicolasZ
  • 133
  • 7

2 Answers2

2

The intent from their side is most likely that you're supposed to build your own intermediary service which will use the client certificate you're issued to identify itself to their service.

While it's a "client certificate", the client here is your intermediary service, not the end-user.

Lars Viklund
  • 2,106
  • 1
  • 17
  • 14
1

The cardinal rule is never ever leave your private key in your app. Only you should have access to your private key. Web services, or any service, should only need your public key.

If they require access to your private key then I suspect that the setup is screwy or you're dealing with a shady service.

user3155341
  • 11
  • 3