Last Comment Bug 867265 - Identifying your packaged app from a receipt
: Identifying your packaged app from a receipt
Product: Marketplace
Classification: Server Software
Component: Payments/Refunds (show other bugs)
: 1.0
: x86 Mac OS X
P2 normal (vote)
: 2013-07-18
Assigned To: Andy McKay [:andym]
Depends on: 852720 878101 878103 878105 888415
Blocks: 867282 883388
  Show dependency treegraph
Reported: 2013-04-30 10:48 PDT by Andy McKay [:andym]
Modified: 2014-07-24 15:43 PDT (History)
12 users (show)
See Also:
QA Whiteboard:
Iteration: ---
Points: ---


Description User image Andy McKay [:andym] 2013-04-30 10:48:59 PDT
A receipt for an app contains your product domain. That way when you verify the receipt, you can check that the product url matches your hosted app. This will stop people copying valid receipts around for your app.

However a packaged app has no domain. To get packaged apps working we just set it to the marketplace for want of a better idea in bug 784447. That's not such a great idea, since I can take a receipt for packaged app X and copy it over to packaged app Y and it will work great there.

Best idea so far, make a fake domain thats obvious to the end developer. We'd need to surface this in the dev tools so its clear.
Comment 1 User image Andy McKay [:andym] 2013-04-30 11:00:34 PDT
Of course, problem is that slugs can change.
Comment 2 User image Andy McKay [:andym] 2013-04-30 11:05:41 PDT
Rob suggested using the app guid, so the domain could be:

Those can't change.
Comment 3 User image Andy McKay [:andym] 2013-04-30 11:15:29 PDT
app://app-guid is what nick suggested and makes sense, we'll just need to change specs and trunion to allow that.
Comment 4 User image Jonas Sicking (:sicking) No longer reading bugmail consistently 2013-05-12 13:22:33 PDT
I don't quite understand the attack here.

Is the problem that the user purchases an application and receives a valid receipt for that app. He then copies the application files as well as the receipt to another device, thereby being able to use the application on that app as well?

If so, how does giving an application a domain help here? Wouldn't the application running on the other device also have the same domain?
Comment 5 User image Kumar McMillan [:kumar] (needinfo all the things) 2013-05-13 13:52:29 PDT
I think that is correct: an attacker buys one app legitimately then copies the receipt to use for another app illegitimately.

Andy, is the problem that the developer needs some unique value in the receipt to whitelist? If so, could we use an ID in product.storedata?
Comment 6 User image Andy McKay [:andym] 2013-05-23 14:04:58 PDT
The could use product.storedata, but they wouldn't know the data before hand and its specific to the store. So we'd have to expose that information.

Plus the assumption has been that information is something store specific and something a developer should never worry about.

If an origin is given in the manifest as is suggested in the bug 852720, I would much, much rather use that than any made up value.
Comment 7 User image Andy McKay [:andym] 2013-05-31 09:54:47 PDT
This means that packaged apps will require an origin if they would like to be paid.
Comment 8 User image Andy McKay [:andym] 2013-05-31 09:55:48 PDT
Let's use the origin from the manifest to populate the receipt. This means the developer will know the value before it goes to the marketplace and testing should be possible.
Comment 9 User image Wil Clouser [:clouserw] 2013-06-14 09:45:53 PDT
This is blocked on bug 878105 - figuring out if app origins are unique or not.
Comment 10 User image Andy McKay [:andym] 2013-06-27 10:25:07 PDT
Comment 11 User image Andy McKay [:andym] 2013-07-16 13:03:13 PDT
For the record, I reverted in:
Comment 12 User image Andy McKay [:andym] 2013-07-16 13:37:52 PDT
Comment 13 User image Victor Carciu 2013-07-17 06:54:36 PDT
Can you please add some STRs to this bug in order to test it?
Comment 14 User image Andy McKay [:andym] 2013-07-17 11:08:42 PDT
1) create a paid packaged app. ensure that the app manifest has an origin.
2) buy the paid packaged app, examine the receipt contents, ensure that the receipt product url field, matches the origin.

Note You need to log in before you can comment on or make changes to this bug.