My app has to comunicate with an API, we can do this easily to send and get data.
Right now we send everything as plain text as a parameter of the URL.
I am by no means a security expert, but common sense tells me the credit card number should be encrypted during the transfer.
The server can worry about the storage, my only concern is the actual transmission of the data.
From my reading I undertand that I need a private key encryption algorithm, as it needs to be reversed by the server to get the actual data.
Is a good one already implemented on the CommonCrypto framework?
What would be your recommendation?
I am looking to do this using iOS and I am sure the security frameworks have tools to complete this challenge, I just dont know where to look or what to look for.
Thank you!
You should absolutely not be using URL parameters for the credit card information. URLs that are accessed by other clients on a network can be easily sniffed and recorded by other computers on the network (with certain limitations of course).
You should be submitting the info using POST parameters so that they are contained in the body of the message and not the URL itself. Then as long as you are submitting to an HTTPS page, the data should be safe without needing to encrypt it first (the message itself is encrypted using SSL in this case).