I have an Ionic2 Client that makes RESTful calls to a Tomcat Server running Spring/Java8 Services.

I would like to make use of the paypal-rest-sdk or something similar to send and receive paypal payments. I will also be implementing additional payment gateways (e.g. Stripe) in the future.

Question

My question is how should I architecturally design this?

PayPal provides a client_id and client_secret that obviously needs to remain secure. These need to be used when making calls to the PayPal api.

Should the client_id and client_secret be stored on the Client (Ionic App) or Server (Java/Spring)?

1. Stored on Client

If the client_id and client_secret are stored on everyones device, does this offer a potential security risk. Can someone obfuscate the code and steal them?

2. Stored on Server

What is stopping someone calling the RESTful Service with the correct parameters to execute an unauthorized payment? I am planning on adding Spring JWT to the RESTful Services. Is this enough?

Any advise appreciated.

I didn’t studied any payment gateway (yet) so these are really just rough thoughts

• as best practice I would suggest to never store a password on the client side. If I understand correctly how RESTful concept works, it’s just ok to save tokens (limited in time) on the client side

• the client_id and client_secret provided by PayPal are specific pro users of your app or there is only one client_id and client_secret which identify you (the app maker)? If there is only one client_id (you) then it’s an argument more to don’t save it on the client side, otherwise what would happens if that information would change, you would have to broadcast it on every devices?

But like I said, really just rough thoughts, maybe I’m fully wrong and I would not mind if someone correct me

P.S.: @joshmorony wrote recently a post about security, where he spoke also about data, kind of interesting https://www.joshmorony.com/basic-security-for-ionic-cordova-applications/