Comments (8)
私钥让别人看见确实不安全,别人可以把App下载下来,反编译就能看到私钥了。
但是具体不安全到什么程度,没办法具体知道。
看了支付宝的一些文档。退款的接口都需要后台操作。
所以要求服务器端有足够的验证。交易的发起可以在前端完成,但是交易的验证必须在后端进行。
from cordova-plugin-alipay.
会不会存在这种攻击:攻击者猜想订单号的大规生成规则,攻击者自己生成大量的订单号,请求支付接口,消耗支付的订单号,导致APP正常的订单号(当APP正常的订单号和攻击者的订单号相同时)无法交易成功。谢谢,元旦快乐!
from cordova-plugin-alipay.
攻击者猜想订单号的大概生成规则
from cordova-plugin-alipay.
不安全,必须放到服务端,否则private key就失去了它的作用
from cordova-plugin-alipay.
@bgqkl 这确实一种很恶心的攻击方法。我只想到了钱安不安全,没想到这一层。棒棒哒。
from cordova-plugin-alipay.
@ryanlin1986 你说的对,但是我不敢苟同,任何事情都有时间成本。安不安全也是在特定情况下的。如果你的App根本没人用,没有攻击价值。就没有意义了。只要在合适时机使用合适的方法。
from cordova-plugin-alipay.
等过两天有时间,再加一个方法,支持从后端生成sign.
from cordova-plugin-alipay.
很期待你做成后端生成sign,棒棒哒。
from cordova-plugin-alipay.
Related Issues (20)
- 支付时是重新打开支付宝APP HOT 1
- Xcode7.3.1如何设置支付宝返回URL HOT 3
- 通常支付宝只会跳回原来的APP,但是在ios上,跳转到了另外一个也可以用支付宝支付的app HOT 15
- App审核alipay被拒,有什么办法可以解决 HOT 5
- PID和密匙在哪里设置 HOT 4
- 安装后支付失败 HOT 15
- 咨询一下这里安装时的PRIVATE_KEY HOT 1
- ionic添加插件失败
- App支付请求参数 HOT 3
- 支付有严重漏洞 HOT 6
- [Android] 读取密钥错误 HOT 2
- 请求参数 HOT 1
- Partner, seller ID & privateKey during Pay method
- 添加currency以便支持境外收单
- 升级10.3后无法唤起 HOT 1
- 怎么调用到插件的handleOpenURL方法 HOT 1
- 超哥你好,在集成的时候出现了一些错误,希望您能帮忙看一下! HOT 3
- 调用时支付宝提示系统繁忙 ALIN10129 HOT 1
- 无法编译通过。“程序包com.alipay.sdk.app不存在”
- cordova8.0以上无法调起 HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cordova-plugin-alipay.