06-03-2013 07:07 AM
how can we ensure that dynamic license request (IAP native API for playbook and bb10) comes to our server from BBW server, and not from some attacker? Is there any security tools provided that will prevent acquiring in-app digital goods by simply netcat`ing our server with bbw-like request?
I understand that I can add extra request from inside the application to my server to verify that key (as mentioned here), but that request can also be forged. I cannot imagine any logic right now that would be secure, and not some security-by-obscurity.
My employer won't allow to release the application I'm porting right now on BBW, if there's no reliable piracy protection
Apple has HTTPS receipt verify API (link); Google allows uploading RSA key to sign our receipts with (link); MS has public key available to check its signed receipts (link). Blackberry is widely known for its strong security support, is there any way to verify the money transaction?
06-03-2013 02:30 PM
06-06-2013 06:46 PM
dbb is correct, the best way to validate would be to check the incoming IP address. The ranges are:
06-06-2013 07:36 PM
Thanks for the response, Garett. It would be great if that information were put in the "Dynamic License Flow" document: http://us.blackberry.com/developers/appworld/Dynam
BTW, if somebody's fixing that document, I've noticed something that is slightly off: It says that the BlackBerry dynamic license request is made with header
but my logs actually show a content type header value of
06-06-2013 11:44 PM
That doc is actually very outdated, it was created for app-level dynamic licensing which isn't supported on BlackBerry 10. This data was, and should be added back to, the vendor portal. It would make sense to have this info available right where the digital goods are being added.
I will make sure to let our docs folks know.
06-10-2013 08:11 AM
Are tere any plans to implement some secure way to check then dynamic license request came from AppWorld server?
What are your main concerns with the present method? There should be ways to validate the transaction in the future that will be separate from dynamic licenses, but still working on a solution.