×
Menu
Index

Part A – Application Security Certification

 
 
An application may not communicate with the API through a proxy of any description. All communications must be directly with the API and must be over a secure channel.
Compliant: The BTX communicates directly with the API over a secure (https) connection.
 
A Vendor must not have visibility of a user's Betfair username, password or any other sensitive data that may link a user of a product to a Betfair account.
Compliant: There is no communication at all between the BTX and the vendor.
 
An application must communicate directly with Betfair via the API to validate a customer.
Compliant: The BTX validates a customer directly with Betfair using the API Login function.
 
An application must never store or log the user's Betfair password.
Compliant: The BTX does not store the user’s Betfair password in any way.
 
An application must not store or log the username in plain text. If the user has chosen to store their username locally (by performing an explicit action to indicate their wish to do so) it should be encrypted (AES with minimum 128 bits key length).
Compliant: The BTX does not store or log the username at all and there is currently no option for the user to do so.
 
An application must display an agree/disagree model dialog to the user when the user indicates a desire to store their username locally. The default action of the dialog should be to not save the username.
Compliant: Not applicable. There is currently no option to store the username.
 
An application may not implement automatic login as this would require the application storing the password locally.
Compliant: There is no automatic login function supported.
 
An application must use the Vendor-registered user ID (not the Betfair username) credentials to validate subscription, fetch news and update the application and all other Vendor/application specific communication.
Compliant: Subscription validation is implemented using the LimeLM licensing and online activation system which is achieved via a user-specific product key and is unrelated to any Betfair credentials.
 
The provisioning (where applicable) of the account to use the application with the Betfair API must be via the Vendor Services API or Vendor Console - see Part II
Compliant: The provisioning of the account to use the API is not carried out by the BTX and is the responsibility of the BTX website administrator.
 
The vendorSoftwareId must be obfuscated from the end user
Compliant: The vendorSoftwareId is not displayed or stored locally in any way by the BTX.
 
The application must provide a 'Logout' function
Compliant: A Logout function is available in the BTX main menu.
 
submit to reddit