922604 - Paid apps in firefox marketplce is easily Piratable.

Status: VERIFIED WONTFIX

(Marketplace Graveyard :: Payments/Refunds, defect)

Description

[Kishor V]

User Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0 (Beta/Release)
Build ID: 20130910160258

Steps to reproduce:

Hi guys,
   I am a 16 yrs old student from India, i am an android developer. I was developing an app that uses firefox market as market for webapps in android. When making i found that the apps from firefox market is easily piratable. Even in a few steps , we can download packaged paid apps. Please make payment more secure.

SINCE THIS IS A MAJOR ISSUE, I AM NOT POSTING THE STEPS TO REPRODUCE. FOR REFERENCE, PLEASE CONTACT ME AT developer.kishor@gmail.com .

THE APP I MADE IS AT http://download.cnet.com/ClouDroid/3000-2381_4-75998303.html


Actual results:

The paid apps are easily downloadable without payment.

Comment 1

[Andy McKay]

Packaged and hosted apps are downloadable and installable without payment by design. We check app payments by use of a receipt mechanism. The receipts are documented here:

https://marketplace.firefox.com/developers/docs/payments

If you have a security bug you can check the box that marks the bug as confidential and that means it will be confidential to the security team:

http://www.mozilla.org/security/bug-bounty.html
http://www.mozilla.org/en-US/about/governance/policies/security-group/bugs/

Comment 2

[Kishor V]

But most paid apps are packaged. ie they don't need an internet connection, so how will the receipt be validated?

Here is how to download paid apps.
_________________________________


> Right click on the install button of any paid app 
> Select inspect element
> Now we will get the manifest url and everything else is just simple.

(In reply to Andy McKay [:andym] from comment #1)
> Packaged and hosted apps are downloadable and installable without payment by
> design. We check app payments by use of a receipt mechanism. The receipts
> are documented here:
> 
> https://marketplace.firefox.com/developers/docs/payments
> 
> If you have a security bug you can check the box that marks the bug as
> confidential and that means it will be confidential to the security team:
> 
> http://www.mozilla.org/security/bug-bounty.html
> http://www.mozilla.org/en-US/about/governance/policies/security-group/bugs/

Comment 3

[Kishor V]

So what is a possible way to fix this problem. An app market should not allow piracy of the apps. So is there any fix for this issue. According to my knowledge , i didn't found any receipt checking in apps. I hope a possible fix may be found soon.

Comment 4

[Andy McKay]

(In reply to Kishor V from comment #2)
> But most paid apps are packaged. ie they don't need an internet connection,
> so how will the receipt be validated?

A packaged app does not require an internet connection, but neither do hosted apps if they have a fully cached app through app cache. The receipt is a signed JSON data structure that needs to be validated by the app developer. It is optional if they would like to send it to Mozilla server for verification.

The receiptverifier library will do that for you (https://github.com/mozilla/receiptverifier) although you could also write your own code to do this.

Comment 5

[Andy McKay]

(In reply to Kishor V from comment #3)
> So what is a possible way to fix this problem. An app market should not
> allow piracy of the apps. So is there any fix for this issue. According to
> my knowledge , i didn't found any receipt checking in apps. I hope a
> possible fix may be found soon.

It depends what apps you are looking at, we warn developers if we find an app does not do receipt checking when it is reviewed in the marketplace. Its their choice if they want to do the receipt checking or not.