Mobile Buy SDK: Security concerns

Highlighted
New Member
2 0 0

Hi everyone!

I am looking for a way to integrate Shopify APIs to our iOS / Android mobile apps. The Mobile Buy SDKs are looking promising, with the ability to retrieve Products, complete Checkouts, and manage Customers & Customers Orders.

However, when looking at the installation steps, I see the need to provide an API Key. Embedding API keys into mobile apps is far from being recommended, even after applying some obfuscation techniques. Furthermore, it looks like you need to provide a Storefront API Key. Which provides unauthenticated access to ALL store data, including all customers information. Any leak of this API Key looks quite scary.

I know one solution to mitigate this is to build a middle-ware backend system that actually send the requests to the Shopify APIs, and send back the responses to the mobile apps. However, with this approach, we are kind of loosing all the power of the Buy SDKs. We'll then only use the Mobile Buy SDKs to generate payment tokens during Checkouts, and all the rest will be handled by the middle-ware backend.

Am I missing something here? How can the Mobile Buy SDKs be safely used on public apps? 

Thanks for your help

 

0 Likes
Highlighted
Shopify Staff
Shopify Staff
516 100 96

Hi @antoinelvl 

 

The Storefront API (Which the SDKs are built on) is a public unauthenticated API. It was designed to be used client-side. The Storefront Access Token provided does give unauthenticated access to what you have set permissions for, but by design, these are only elements that would be visible on a storefront. 

For example, there is access to products but this is to display products, there is no ability to create or destroy products. Same can be said for other areas of the API - you can create a customer, but in order to access customer private info you need their login which generates a customer access token.

The mobile SDK is the best way to integrate into your mobile apps. Keep in mind as well, the API limits are based on customer IP so middleware is not recommended 

 
 
 
 

Vix | Developer Support @ Shopify
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Click Accept as Solution 


1 Like
Highlighted
New Member
2 0 0

Hi @vix 

Thank you for your fast answer! It clears things up. I now have a better understanding of what the Storefront API stands for. Any customer information is protected behind a customer login flow.

On my end, I think I will stil stay away from the Storefront API. Here's why:

- We already provide our users on iOS / Android a way to sign up / sign in to use our service. We don't want to force them to create another customer account on Shopify, to access Shopify functionalities (Products, Checkouts, Orders).

- Therefore, we need a programmatic way to create Shopify customers on our end, retrieve Shopify customer information, create & complete Checkouts, display customer orders. All of that, without an extra login step for our users.

 

It seems like instead of the Storefront API, I should take a look at a server-side integration, using the Admin API. Does that sound right? However, I'm guessing that Payment Token generation, for PCI compliance, has to happen on the client-side. I could use the Storefront API just for that purpose, as well as for ApplePay / GooglePlay integration?

 

0 Likes