Apple Pay lets users make in-store payments for physical goods or services using an iOS 8 app. Payment information is stored in their iOS device, and users can use Touch ID to provide their payment and shipping information to complete the transaction with a single touch. The SDK is written using Objective-C.
The way the Square API delivers JSON output makes it possible for an attacker to engage in a cross-site scripting (XSS) under certain circumstances. The vulnerability was discovered by security researcher Ajay Chavda and reported to Square on August 7, 2015 through its bounty program on hackerone.