Bug 1021359

Enable product verification for in-app purchase receipts

RESOLVED FIXED

Get help with this page

Status

Product:

Component:

Importance:

normal

Status:

RESOLVED FIXED

Reported:

5 years ago

Modified:

5 years ago

People

(Reporter: kumar, Assigned: jkerim)

Tracking

Version:

1.5

Target:

---

Platform:

x86

Mac OS X

Points:

---

Blocks:

944480

Details

Kumar McMillan [:kumar] (needinfo all the things)

(Reporter)

Description

•

5 years ago

An in-app purchase receipt currently gets validated for having the right signature and for having an existing contribution object in the Marketplace db. A vendor also needs a way to verify that the receipt is for the right *product*. In other words, an attacker could pass a perfectly valid in-app receipt to the vendor but one for the wrong product. The vendor needs a way to prevent that.

For app purchases, the vendor does this by verifying the productURL. See https://github.com/mozilla/receiptverifier#options

We need to think of what data to put in the receipt to enable in-app product verification.

Kumar McMillan [:kumar] (needinfo all the things)

(Reporter)

Updated

•

5 years ago

Blocks: 944480

Jared Kerim [:jkerim]

(Assignee)

Updated

•

5 years ago

Assignee: nobody → jkerim

Andy McKay

Updated

•

5 years ago

Priority: -- → P2

Jared Kerim [:jkerim]

(Assignee)

Comment 1

•

5 years ago

Merged in https://github.com/mozilla/zamboni/pull/2190

Status: NEW → RESOLVED

Last Resolved: 5 years ago

Resolution: --- → FIXED

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Enable product verification for in-app purchase receipts

Status

People

(Reporter: kumar, Assigned: jkerim)

Tracking

Details

Security

(public)

User Story

Description

Updated

Updated

Updated

Comment 1