SmartApps Restrictions
To protect the security and stability of our ecosystem, restrictions have been defined on the use of Point terminal functions. Integrators must comply with these measures so that their application can run on our devices without compromising the security of the system or users.
The use of OAuth must be implemented to obtain payment information, access user data, or execute operations on the seller's account, such as charges or refunds.
In the application configuration, the minimum API level (minSdkVersion) must be defined based on the terminal's operating system that will be used.
- Point Smart A910 uses Android 6 - minimum API level: 23
- Point Smart N950 uses Android 12 - minimum API level: 31
Point terminals use an operating system based on AOSP (Android Open Source Project), which means they do not include Google and Firebase services by default. To verify which services are available on these devices, consult the official Firebase documentation.
When building the application, it is recommended to use libraries in their most recent versions with active support, in order to reduce exposure to known vulnerabilities.
To evaluate the security of dependencies, it is suggested to use specialized tools such as Snyk or SonaType, which allow identifying risks from public vulnerability databases (such as NVD or CVE Details) and offer recommendations to fix or update them.
Functionalities associated with the payment flow (such as card reading and processing, receipt printing, Bluetooth usage, and camera access for barcode or QR code scanning) must be invoked exclusively through the Mercado Pago SDK and not through direct use of permissions declared in the AndroidManifest file.
To allow the application to connect to online services and use basic terminal functionalities, only the following permissions are authorized:
android.permission.ACCESS_COARSE_LOCATIONandroid.permission.ACCESS_FINE_LOCATIONandroid.permission.ACCESS_NETWORK_STATEandroid.permission.FLASHLIGHTandroid.permission.FOREGROUND_SERVICEandroid.permission.INTERNETandroid.permission.POST_NOTIFICATIONSandroid.permission.RECEIVE_BOOT_COMPLETEDandroid.permission.SCHEDULE_EXACT_ALARMandroid.permission.VIBRATEandroid.permission.WAKE_LOCK
On the other hand, and in accordance with security policies, there are permissions that are not allowed, such as:
android.permission.ACCESS_GPSandroid.permission.ACCESS_INSTANT_APPSandroid.permission.ACCESS_LOCATIONandroid.permission.ACCESS_WEBVIEWandroid.permission.ACCESS_WIFI_STATEandroid.permission.BIND_ACCESSIBILITY_SERVICEandroid.permission.BLUETOOTHandroid.permission.BLUETOOTH_ADMINandroid.permission.BLUETOOTH_ADVERTISEandroid.permission.BLUETOOTH_CONNECTandroid.permission.BLUETOOTH_PRIVILEGEDandroid.permission.BLUETOOTH_SCANandroid.permission.BROADCAST_STICKYandroid.permission.CHANGE_NETWORK_STATEandroid.permission.CHANGE_WIFI_STATEandroid.permission.CLOUDPOS_PRINTERandroid.permission.DELETE_PACKAGESandroid.permission.DEVICE_POWERandroid.permission.DISABLE_KEYGUARDandroid.permission.DISABLE_STATUS_BARandroid.permission.DOWNLOAD_WITHOUT_NOTIFICATIONandroid.permission.DUMPandroid.permission.EXPAND_STATUS_BARandroid.permission.FOREGROUND_SERVICE_DATA_SYNCandroid.permission.GET_ACCOUNTSandroid.permission.GET_TASKSandroid.permission.INSTALL_PACKAGESandroid.permission.INSTALL_SHORTCUTandroid.permission.INTERACT_ACROSS_USERS_FULLandroid.permission.KILL_BACKGROUND_PROCESSESandroid.permission.MANAGE_EXTERNAL_STORAGEandroid.permission.MANAGE_NEWLANDandroid.permission.MANAGE_NEWLAND_ICCARDandroid.permission.MANAGE_NEWLAND_PAYCOMMONandroid.permission.MANAGE_NEWLAND_PINandroid.permission.MODIFY_AUDIO_SETTINGSandroid.permission.MODIFY_PHONE_STATEandroid.permission.MOUNT_UNMOUNT_FILESYSTEMSandroid.permission.NEARBY_WIFI_DEVICESandroid.permission.NFCandroid.permission.QUERY_ALL_PACKAGESandroid.permission.READ_EXTERNAL_STORAGEandroid.permission.READ_LOGSandroid.permission.READ_PHONE_STATEandroid.permission.READ_PRIVILEGED_PHONE_STATEandroid.permission.READ_PROFILEandroid.permission.READ_SMSandroid.permission.READ_USER_DICTIONARYandroid.permission.REBOOTandroid.permission.RECORD_AUDIOandroid.permission.REORDER_TASKSandroid.permission.REQUEST_DELETE_PACKAGESandroid.permission.REQUEST_INSTALL_PACKAGESandroid.permission.SEND_SMSandroid.permission.SET_TIMEandroid.permission.SET_TIME_ZONEandroid.permission.SET_WALLPAPERandroid.permission.SET_WALLPAPER_HINTSandroid.permission.SUNMI_RESET_APPSandroid.permission.SYSTEM_ALERT_WINDOWandroid.permission.USB_PERMISSIONandroid.permission.USB_SETandroid.permission.USE_BIOMETRICandroid.permission.USE_FINGERPRINTandroid.permission.USE_PERIPHERAL_IOandroid.permission.WRITE_APN_SETTINGSandroid.permission.WRITE_CALENDARandroid.permission.WRITE_EXTERNAL_STORAGEandroid.permission.WRITE_OWNER_DATAandroid.permission.WRITE_SECURE_SETTINGSandroid.permission.WRITE_SETTINGS
Likewise, the use of permissions or libraries associated with third-party integrations is prohibited, such as:
br.com.uol.pagseguro.*cielo.lio.permission.*com.getnet.*com.pax.*com.sunmi.*
In those cases where specific functionalities are required for the integrator's business, the Mercado Pago team will evaluate the request and/or propose implementation alternatives that allow the correct functioning of the application without compromising the security of the environment. Each application will be analyzed individually during the review process.
- Use of Webview.
- Use of accessibility services.
- Access to external storage via SD card.
- Debug configurations enabled in the AndroidManifest, such as
allowBackup=true,testOnly=true,debuggable=true, among others. - Use of clear text communications or with the
cleartextTrafficPermitted=trueoption within the AndroidManifest. - Dependencies on functionalities based on Google Play Services, which are not available on terminals with Android AOSP, such as: Google Maps API, Calendar, authentication with Google accounts, among others.
- Use of the USB port for information transmission.
- Inclusion of social media icons within the application, in order to prevent unauthorized navigation through them.
- The package name must meet the following conditions:
- Only alphanumeric characters (a-z, A-Z, 0-9).
- Separated by dots (.).
- Reverse domain format:
com.example.app. - No spaces, hyphens, or other special characters.
- What is not allowed in applications:
- Use of the name "Mercado Pago" or "Mercado Libre" in the app name or in the package name.
- Display of Mercado Pago, Mercado Libre, or competitor logos.
- Inappropriate content (inappropriate images or words).
The implementation of the following best practices is suggested during the application development phase, with the objective of strengthening its security, minimizing risks associated with sensitive data exposure, and avoiding compromise of the payment ecosystem.
- Avoid embedding credentials or certificates in plain text. Instead, consider using code obfuscation and protection techniques.
- Avoid using obsolete cryptographic algorithms such as DES, RC4, or MD5. Use instead AES (minimum 128 bits) for symmetric encryption, SHA-256 or SHA-3 for hash functions, and RSA (≥2048 bits) or ECDSA for encryption and digital signatures.
- Prevent exposure or insecure transmission of end users' sensitive information. Avoid using plain text and ensure that all communication is carried out through encrypted channels, using TLS in order to protect data security and privacy.
- For storing sensitive data (such as session tokens), it is recommended to use Android Keystore instead of SQLite or SharedPreferences.
- Perform security analysis using tools such as SAST, SCA, DAST, and IAST, and complement with threat modeling, periodic code reviews, and penetration testing.
- On devices with internet connection via mobile data, ensure that communication is established only with legitimate backends.