Abusing Google Play Billing for Fun and Unlimited Credits!

Presented at DeepSec 2019 „Internet of Facts and Fears“, Unknown date/time (Unknown duration)

In 2017, the estimated global in-app purchase revenue was projected to exceed $37 billion. Just in the Google Play Store, for 2018, more than 200 000 apps are offering in-app purchases. However, the Google Play Billing API is vulnerable by design and allows an attacker to bypass the payment process. I analyzed several android games and found that it's possible to bypass the payment process. This presentation will show real vulnerable applications (Fruit Ninja, Doodle Jump, etc.).

Presenters:

• Guillaume Lopes - RandoriSec
  Guillaume Lopes is a pentester with 10 years of experience in different fields (Active Directory, Windows, Linux, Web applications, Wifi, Android). Currently he's working as a Senior Penetration Tester at RandoriSec and also as a member of the Checkmarx Application Security Research Team. He also likes to play CTF (Hackthebox, Insomni'hack, Nuit du Hack, BSides Lisbon, etc.) and gives a hand to the Tipi'hack team.

Links:

• https://deepsec.net/archive/2019.deepsec.net/speaker.html#PSLOT441
• https://infocon.org/cons/DeepSec/DeepSec 2019/Abusing Google Play Billing for Fun and Unlimited Credits - Guillaume Lopes.mp4

Similar Presentations:

• DEF CON 31 (2023) / GhostToken: Exploiting Google Cloud Platform App Infrastructure to Create Unremovable Trojan Apps
• DEF CON 21 (2013) / Android WebLogin: Google's Skeleton Key
• NolaCon 2015 / Breaking and Fixing Android In App Purchases