Integration guidelines

Integration guidelines for mobile apps

This document focuses on the practical implementation of xMoney in mobile apps, covering essential aspects like app store guidelines, secure API usage, and technical best practices.

App Store guidelines

App stores, like Apple's App Store and Google Play, have specific rules regarding in-app payment processing.

iOS (Apple App Store)

  • Apple enforces strict guidelines, requiring apps to undergo a review process before distribution.
  • According to Apple's App Review Guidelines, external payment providers are typically permitted for physical goods transactions.
  • Digital goods and services often necessitate using Apple's in-app purchase system.
  • Always refer to the latest App Review Guidelines, specifically the Payments section, for current policies.

Android (Google Play Store)

  • Google Play also has developer policies that regulate in-app payments.
  • While Google may conduct random compliance checks, they allow external payment methods for physical goods and digital content consumed outside the app.
  • Google Play In-app Billing is generally required, except for physical product sales or digital content accessible elsewhere.
  • Review the Google Play Developer Policy for the most up-to-date requirements.

It's crucial to consult the specific terms and conditions of your target app store to ensure compliance.

Security best practices

Mobile devices are inherently less secure than server environments. Therefore, avoid embedding xMoney API keys directly within your app's code.

  • Devices can be rooted or compromised, allowing malicious actors to extract sensitive information.
  • API keys embedded in an app cannot be easily revoked without disrupting existing installations.

To mitigate these risks:

  • Implement a secure backend service to handle all xMoney API interactions.
  • The mobile app should communicate with this backend service, which acts as a trusted intermediary.
  • Validate all data received from the app on your backend server. Never trust the app to provide accurate payment amounts or other critical data.
  • The backend must generate all payment parameters based on your business rules.

Handling Webhooks

Mobile applications cannot receive webhook notifications directly. Additionally, payment status might not be immediately available when a user returns to the app. To address this:

  • Configure the backUrl parameter to point to your backend service.
  • Your backend should process the webhook and trigger a silent push notification to the mobile app.
  • The app can then update the UI accordingly based on the latest payment status.

By following these best practices, you can ensure a secure, compliant, and user-friendly integration of xMoney within your mobile application.

Previous page
Next page
Copyright © xMoney Inc. All rights reserved.