Security and quality
How we protect the Packing Station plugin, Android app, and license flow.
Packing Station connects a WooCommerce order screen, an Android companion app, local printers, and license activation. This page explains the practical security and quality controls we use, what is checked before release, and which independent trust signals are planned before go-live.
In place
Orders stay on your store
The Android app opens the Packing Station order feed from your own WooCommerce site. Order data is not routed through an Ateqa cloud print queue.
In place
Stripe checkout
License purchases use Stripe Checkout. Ateqa does not store card numbers in the license-manager plugin.
In place
Signed licenses
License keys are signed using public/private key cryptography. The Android app validates the signed license rather than trusting plain text fields alone.
WordPress plugin
Packing Station for WooCommerce
The WordPress plugin is designed to keep packing-station staff away from wp-admin while still giving them the order information and actions they need.
- Uses WordPress roles, capabilities, nonces, and REST permission checks for order-feed actions.
- Escapes output and sanitizes submitted values using WordPress APIs.
- Provides a dedicated Packing Station role so staff do not need administrator access.
- Uses WooCommerce and WordPress APIs rather than direct, unaudited order updates wherever possible.
- Will be checked with WordPress Plugin Check before public release updates.
Android companion app
Packing Station Print App
The Android app is a focused WebView and local print bridge for the Packing Station order feed. It is intentionally narrow in scope.
- Requests only the permissions needed for web access and local printer connectivity.
- Uses Android Bluetooth permission prompts on Android 12 and newer before listing paired Bluetooth printers.
- Prints locally to the printer connected to the Android device; no cloud print relay is required.
- Uses a release APK for distribution, signed with the Ateqa app signing key before go-live.
- Will be submitted to Google Play before go-live. The placeholder listing link is available above and will be replaced with the live Play Store URL.
Before go-live
Patchstack disclosure route
We are preparing a Patchstack managed vulnerability disclosure program for the WordPress plugin so security researchers have a clear, responsible route to report issues.
Before go-live
Plugin quality checks
Release checks include PHP syntax checks, WordPress Plugin Check, Android build checks, and real-device print testing where possible.
Payment data
Card payments are handled by Stripe. The license-manager plugin stores license records and Stripe references, not raw card details.
License retrieval
Customers retrieve license keys using their purchase email and a time-limited verification code, with rate limiting on public forms.
HTTPS expected
The license-manager plugin warns administrators when the site is not running HTTPS, because checkout, webhooks, and license delivery should use a secure connection.
Security issue?
Please do not post suspected vulnerabilities publicly. Use the Patchstack disclosure route when available, or contact support with enough detail for us to reproduce and fix the issue.