Re: [webpayments] How are third-party native wallets integrated? (#42) from Rouslan Solomakhin on 2016-02-18 (public-payments-wg@w3.org from February 2016)

From: Rouslan Solomakhin <notifications@github.com>
Date: Wed, 17 Feb 2016 18:17:59 -0800
To: w3c/webpayments <webpayments@noreply.github.com>
Cc: webpayments <public-payments-wg@w3.org>
Message-ID: <w3c/webpayments/issues/42/185510999@github.com>

> One benefit with regular web applications rendered in a special window is that we can require that the app has to be loaded from a https site protected by a Extended Validation (EV) certificate. That way the app can prove the identity of the app vendor, and we can show the vendor identity to the user. This will make it much harder for a phishing site to create a fake payment app and convince a user to install it. I don't know of any such mechanism for native apps, at least not for Android, or extensions.

@haavardmolland: On Android perhaps we can use [App Linking](http://developer.android.com/training/app-links/index.html). In summary, there're 3 steps:

1. Merchant says they support payment app "https://thepaymentapp.com/pay".
2. Chrome downloads "https://thepaymentapp.com/.well-known/assetlinks.json".
3. Chrome compares SHA256 fingerprint of the Android app to the fingerprint specified in "assetlinks.json".

Step 3 can also include EV certificate validation for https://thepaymentapp.com.

---
Reply to this email directly or view it on GitHub:
https://github.com/w3c/webpayments/issues/42#issuecomment-185510999

Received on Thursday, 18 February 2016 02:18:33 UTC