Closed Bug 1021359 Opened 11 years ago Closed 11 years ago

Enable product verification for in-app purchase receipts

Tracking

(Not tracked)

Status:

RESOLVED FIXED

People

(Reporter: kumar, Assigned: jlockhart)

References

Details

Votes:

Kumar McMillan [:kumar]

Reporter

Description

•

11 years ago

An in-app purchase receipt currently gets validated for having the right signature and for having an existing contribution object in the Marketplace db. A vendor also needs a way to verify that the receipt is for the right *product*. In other words, an attacker could pass a perfectly valid in-app receipt to the vendor but one for the wrong product. The vendor needs a way to prevent that. For app purchases, the vendor does this by verifying the productURL. See https://github.com/mozilla/receiptverifier#options We need to think of what data to put in the receipt to enable in-app product verification.

Kumar McMillan [:kumar]

Reporter

Updated

•

11 years ago

Blocks: 944480

Jared Lockhart [:jlockhart]

Assignee

Updated

•

11 years ago

Assignee: nobody → jkerim

Andy McKay

Updated

•

11 years ago

Priority: -- → P2

Jared Lockhart [:jlockhart]

Assignee

Comment 1

•

11 years ago

Merged in https://github.com/mozilla/zamboni/pull/2190

Status: NEW → RESOLVED

Closed: 11 years ago

Resolution: --- → FIXED

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Enable product verification for in-app purchase receipts

Categories

(Marketplace Graveyard :: Payments/Refunds, defect, P2)

Tracking

(Not tracked)

People

(Reporter: kumar, Assigned: jlockhart)

References

Details

Crash Data

Security

(public)

User Story

Description

Updated

Updated

Updated

Comment 1