Welcome!

Welcome to the official BlackBerry Support Community Forums.

This is your resource to discuss support topics with your peers, and learn from each other.

inside custom component

Payment Service

Reply
New Contributor
Myrth
Posts: 6
Registered: ‎05-30-2013
My Device: PlayBook, BB10 DevAlpha B

Dynamic license request protection

Hi,

 

how can we ensure that dynamic license request (IAP native API for playbook and bb10) comes to our server from BBW server, and not from some attacker? Is there any security tools provided that will prevent acquiring in-app digital goods by simply netcat`ing our server with bbw-like request?

 

I understand that I can add extra request from inside the application to my server to verify that key (as mentioned here), but that request can also be forged. I cannot imagine any logic right now that would be secure, and not some security-by-obscurity.

 

My employer won't allow to release the application I'm porting right now on BBW, if there's no reliable piracy protection :smileysad:

 

Apple has HTTPS receipt verify API (link); Google allows uploading RSA key to sign our receipts with (link); MS has public key available to check its signed receipts (link). Blackberry is widely known for its strong security support, is there any way to verify the money transaction?

Developer
Developer
dbb
Posts: 39
Registered: ‎03-17-2009
My Device: Not Specified

Re: Dynamic license request protection

I've never seen a better answer to this than to check the incoming IP address. My understanding (using CIDR notation) is that the range for BlackBerry is 208.65.72.0/21. Confirmation from official BlackBerry personnel would be great.
New Contributor
Myrth
Posts: 6
Registered: ‎05-30-2013
My Device: PlayBook, BB10 DevAlpha B

Re: Dynamic license request protection

Still waiting for Blackberry officials to reply...

Retired
gbeukeboom
Posts: 2,559
Registered: ‎10-16-2009
My Device: BlackBerry Z10

Re: Dynamic license request protection

dbb is correct, the best way to validate would be to check the incoming IP address. The ranges are:

 208.65.77.0/24
 208.65.78.0/24

Garett
@garettBeuk
--
Goodbye everybody!
Developer
Developer
dbb
Posts: 39
Registered: ‎03-17-2009
My Device: Not Specified

Re: Dynamic license request protection

Thanks for the response, Garett.  It would be great if that information were put in the "Dynamic License Flow" document: http://us.blackberry.com/developers/appworld/Dynamic_License_Flow.pdf , since so far as I can tell, it's not in any official place. I know that there are several posts in the developer support forums on this topic and that I spent hours trying to figure out a close (but not fully correct) answer. I imagine I'm far from the only one.

 

BTW, if somebody's fixing that document, I've noticed something that is slightly off: It says that the BlackBerry dynamic license request is made with header

 

Content-Type: application/www-url-encoded

 

but my logs actually show a content type header value of

 

application/x-www-form-urlencoded

 

 

Retired
gbeukeboom
Posts: 2,559
Registered: ‎10-16-2009
My Device: BlackBerry Z10

Re: Dynamic license request protection

That doc is actually very outdated, it was created for app-level dynamic licensing which isn't supported on BlackBerry 10. This data was, and should be added back to, the vendor portal. It would make sense to have this info available right where the digital goods are being added.

 

I will make sure to let our docs folks know.

 

Thnaks!

Garett
@garettBeuk
--
Goodbye everybody!
New Developer
VestniK
Posts: 2
Registered: ‎05-23-2013
My Device: Blackberry PlayBook

Re: Dynamic license request protection

Are tere any plans to implement some secure way to check then dynamic license request came from AppWorld server?
Retired
gbeukeboom
Posts: 2,559
Registered: ‎10-16-2009
My Device: BlackBerry Z10

Re: Dynamic license request protection


VestniK wrote:
Are tere any plans to implement some secure way to check then dynamic license request came from AppWorld server?

What are your main concerns with the present method? There should be ways to validate the transaction in the future that will be separate from dynamic licenses, but still working on a solution.

Garett
@garettBeuk
--
Goodbye everybody!