Prevent client-side tampering when using Google Pay JavaScript API

6
votes

I am trying to integrate Google Pay into our online store using the Google Pay API, and in the tutorial, there is this snippet which set the amount to pay, and currency code in a JavaScript object like this:

paymentDataRequest.transactionInfo = {
  totalPriceStatus: 'FINAL',
  totalPrice: '123.45',
  currencyCode: 'USD'
};

This looks awfully insecure, in that anyone can tamper with the values on the client-side before eventually clicking on the "Buy With Google Pay" button.

Of course, I can also check that values eventually sent back from the payment gateway, and then flag the order as fraud, but I'd also like to prevent this as early into the process as I can, if possible..

Thanks.

2
javascriptgoogle-apiandroid-paygoogle-pay
stackoverflow.com/questions/3727332/…Quentin
stackoverflow.com/questions/10494952/…Quentin
stackoverflow.com/questions/46675099/…Quentin
stackoverflow.com/questions/22208349/…Quentin

2 Answers

2
votes

I can also check that values eventually sent back from the payment gateway

This is the only approach that will work.

I'd also like to prevent this as early into the process as I can, if possible.

It isn't possible. The client belongs to the visitor and, ultimately, is completely under their control.

You can make it harder, with obfuscation, but that makes your code harder for you to debug and doesn't stop someone from just looking at the final HTTP requests and recreating them without using your code at all.

1
votes

Any data written to a device is subject to be read. When referring to secret in the technological sense, this principle is more prominent on user-facing devices, because these are typically more exposed to other agents and individuals than machines that act as servers.

The transaction information you are passing to loadPaymentData never determines the amount that will finally be charged. What you get back from this call is a payment method that is encrypted with a key that only your processor has, and hence, the payment processor (on the server side) is the only agent who can access this information. The final request to issue the charge continues to happen through a secure call between your server and your processor's.

In essence, using Google Pay to retrieve payment information to issue a charge is equivalent to how it's done without Google Pay except for the fact that the payment information is never exposed on the client side (since the user does not need to type it in), and thus, the process occurs with an additional layer of security in this aspect.