Open Grant Proposal: iOS In-App Purchase and Attestation Bridge
Name of Project: iOS In-App Purchase and Attestation Bridge
Proposal Category:integration-adoption
Proposer:codynhat
Do you agree to open source all work you do on behalf of this grant and dual-license under MIT, APACHE2, or GPL licenses?: Yes
Project Description
Apple's developer platforms and App Store have various methods of attestation that developers can use to verify app integrity or unlock features. These include:
Verify arbitrary data signed by a valid instance of an app
This project is a set of Lit Actions that act as a bridge between these Apple-specific attestations and the new onchain standard Ethereum Attestation Service (EAS) . These onchain attestations would attest that an Ethereum user (wallet) has performed one of these actions in the Apple ecosystem.
Bringing these attestations onchain enable new use cases for dApp developers, including:
Sponsoring gas for users who have downloaded an app
Sponsoring gas for users who have an active In-App Purchase subscription
Providing deeper community access to active users
Allocating voting/governance power to active users
Verifying a specific action was taken by a user in an app
Lit's programmatic signing is a great fit for implementing this bridge. These attestations use various cryptographic standards that can be difficult or very inefficient to use in the EVM. They also require reading certificate chains and verifying the trusted root as Apple, which would require some oracles if implemented in the EVM. Lit is a better solution to both of these problems than implementing a bridge as an EVM smart contract.
This project would bring new app developers to Lit who are looking to enable functionality for their iOS users in a Web3-native way. It can also set an example for how a solution like Lit can integrate with Ethereum Attestation Service to bring all kinds of attestations to the Ethereum ecosystem.
Some risks include unknowns around the complexity of verifying these attestations from Apple. They have recently transitioned to adopting JSON Web Signatures (JWS), which should help by allowing the use of existing tools and libraries. There are also unknowns around interacting with the Lit Protocol from an iOS device.
Deliverables
The final deliverables include:
A repository for the Lit Actions and deployments
A proxy service that receives App Store data from clients and forwards to the appropriate Lit PKP
Development Roadmap
Assuming roadmap starts Oct 30.
1. App Store Purchase Attestation
Budget: $2000
Time: Nov 12 (2 weeks)
Attestations needed to verify a user has purchased a specific version of a free or paid app from the App Store.
1a. Device nonce attestation
Define EAS schema to represent nonce attestation
Lit Action attests that a nonce is assigned to a user if it has not already been used
API endpoint to forward this attestation to the Lit action
1b. AppTransaction attestation
Define EAS schema to represent AppTransaction
Lit Action attests that an AppTransaction is valid and belongs to the user linked to the device nonce
API endpoint to forward this attestation to the Lit action
2. In-App Purchase Attestation
Budget: $1500
Time: Nov 26 (2 weeks)
Attestations needed to verify a user has purchased a specific in-app purchase from a particular app in the App Store. Includes consumables, non-consumables, and subscriptions.
2a. App account token attestation
Define EAS schema to represent appAccountToken
Lit Action attests that a UUID is assigned to a user if it has not already been used
API endpoint to forward this attestation to the Lit action
2b. Transaction attestation
Define EAS schema to represent Transaction
Lit Action attests that an Transaction is valid and belongs to the user linked to the appAccountToken
API endpoint to forward this attestation to the Lit action
3. App Integrity Attestation
Budget: $1500
Time: Dec 10 (2 weeks)
Attestations that verify some arbitrary piece of data is signed by a valid instance of a particular app. This is done by verifying from Apple that a particular keypair is stored in the on-device Secure Enclave and can only be used by a particular installed app.
3a. App keypair attestation
Define EAS schema to represent keypair linking
Define EAS schema to represent signed data
Lit Action attests that a device attestation is valid and belongs to the user linked to the keypair
API endpoint to forward this attestation to the Lit action
Total Budget Requested
Total Budget $5000
Maintenance and Upgrade Plans
I plan on deploying and maintaining instances of the Lit Actions and a proxy server. I have plans for future projects that will leverage these, and should have the incentive to keep them up and running.
Team
Team Members
Team Member: codynhat
Github: codynhat
Twitter: codynhat
Telegram: codynhat
I have been developing iOS applications for over a decade and have spent the last few years in the Web3 space developing EVM smart contracts and dApps. I have experience from a past employer with verifying In-App purchases on the backend, as well as various device attestation checks across both iOS and Android.
I have not developed a Lit Action before, but have some experience with older versions of the Lit JS SDK using encryption/decryption.
I have been following Lit Protocol for over a year and have known about the open grants program for awhile. I probably originally learned about it when browsing the Lit documentation site.
Open Grant Proposal:
iOS In-App Purchase and Attestation Bridge
Name of Project: iOS In-App Purchase and Attestation Bridge
Proposal Category:
integration-adoption
Proposer:
codynhat
Do you agree to open source all work you do on behalf of this grant and dual-license under MIT, APACHE2, or GPL licenses?: Yes
Project Description
Apple's developer platforms and App Store have various methods of attestation that developers can use to verify app integrity or unlock features. These include:
This project is a set of Lit Actions that act as a bridge between these Apple-specific attestations and the new onchain standard Ethereum Attestation Service (EAS) . These onchain attestations would attest that an Ethereum user (wallet) has performed one of these actions in the Apple ecosystem.
Bringing these attestations onchain enable new use cases for dApp developers, including:
Value
Lit's programmatic signing is a great fit for implementing this bridge. These attestations use various cryptographic standards that can be difficult or very inefficient to use in the EVM. They also require reading certificate chains and verifying the trusted root as Apple, which would require some oracles if implemented in the EVM. Lit is a better solution to both of these problems than implementing a bridge as an EVM smart contract.
This project would bring new app developers to Lit who are looking to enable functionality for their iOS users in a Web3-native way. It can also set an example for how a solution like Lit can integrate with Ethereum Attestation Service to bring all kinds of attestations to the Ethereum ecosystem.
Some risks include unknowns around the complexity of verifying these attestations from Apple. They have recently transitioned to adopting JSON Web Signatures (JWS), which should help by allowing the use of existing tools and libraries. There are also unknowns around interacting with the Lit Protocol from an iOS device.
Deliverables
The final deliverables include:
Development Roadmap
Assuming roadmap starts Oct 30.
1. App Store Purchase Attestation
Budget: $2000 Time: Nov 12 (2 weeks)
Attestations needed to verify a user has purchased a specific version of a free or paid app from the App Store.
1a. Device nonce attestation
1b. AppTransaction attestation
2. In-App Purchase Attestation
Budget: $1500 Time: Nov 26 (2 weeks)
Attestations needed to verify a user has purchased a specific in-app purchase from a particular app in the App Store. Includes consumables, non-consumables, and subscriptions.
2a. App account token attestation
2b. Transaction attestation
appAccountToken
3. App Integrity Attestation
Budget: $1500 Time: Dec 10 (2 weeks)
Attestations that verify some arbitrary piece of data is signed by a valid instance of a particular app. This is done by verifying from Apple that a particular keypair is stored in the on-device Secure Enclave and can only be used by a particular installed app.
3a. App keypair attestation
Total Budget Requested
Total Budget $5000
Maintenance and Upgrade Plans
I plan on deploying and maintaining instances of the Lit Actions and a proxy server. I have plans for future projects that will leverage these, and should have the incentive to keep them up and running.
Team
Team Members
Team Member: codynhat Github: codynhat Twitter: codynhat Telegram: codynhat
Team Member LinkedIn Profiles
https://www.linkedin.com/in/codyhatfield/
Team Website
https://codyhatfield.me
Relevant Experience
I have been developing iOS applications for over a decade and have spent the last few years in the Web3 space developing EVM smart contracts and dApps. I have experience from a past employer with verifying In-App purchases on the backend, as well as various device attestation checks across both iOS and Android.
I have not developed a Lit Action before, but have some experience with older versions of the Lit JS SDK using encryption/decryption.
Team code repositories
Github profile My main project in the Web3 space: https://github.com/Geo-Web-Project
Additional Information
I have been following Lit Protocol for over a year and have known about the open grants program for awhile. I probably originally learned about it when browsing the Lit documentation site.
cody.hatfield@me.com Telegram: codynhat