Unbillable: Exploiting Android in App Purchases

Mobile in-app purchase revenue reached 2 billion dollars in 2011 and is projected to reach 15 billion in 2015. In app purchases are an increasingly large revenue stream and now account for over 75% of mobile application revenue; however, Android’s In App Billing (IAB) API is confusing and often poorly implemented by application developers. This leads to flaws that can be exploited by attackers to circumvent the purchasing process and results in lost revenue for application creators. Cracked APKs exist for just about every popular Android application that bypass the in app purchasing process; not only do these cost developers in lost revenue, they are also persistent vectors of mobile malware. During this talk, we will review Android’s IAB API and then we will examine the IAB implementations of some of the top-grossing applications on Google Play and identify vulnerabilities and their remediation. We will discuss how to exploit real-world apps using the Cydia Substrate framework. We will also briefly look at popular Android applications Freedom and Lucky Patcher that focus on bypassing IAB and the mechanisms they employ to achieve this. We will conclude with some best practices to follow when implementing IAB in an Android application and propose potential solutions for the existing problems with IAB implementation in the Google Play market.

Presented by