Breaking and Fixing Android In App Purchases

Presented at NolaCon 2015, June 14, 2015, 10 a.m. (Unknown duration).

Mobile un-app purchase revenue reached 2 billion dollars in 2011 and is projected to reach 15 billion in 2015. In app purchases are a big deal; however, Android's In App Billing (IAB) API is confusing and often poorly implemented by application developers. This leads to flaws that can be exploited by attackers to circumvent the purchasing process and results in lost revenue for application creators. 'Hacked' APKs exist for just about every popular Android application that bypass the in app purchasing process; not only do these cost developers in lost revenue, they are also persistent vectors of mobile malware. During this talk, we will examine the IAB implementations of some of the top-grossing applications on Google Play and identify vulnerabilities and their remediation. We will also briefly look at popular Android applications Freedom and Lucky Patcher that focus on bypassing IAB and the mechanisms they employ to achieve this. We will conclude with some best practices to follow when implementing IAB in an Android


Presenters:

  • Alfredo Ramirez
    Alfredo is a Senior Security Consultant at Virtual Security Research in Boston with a background in web, mobile and product security. Previously Alredo worked at Tenable Network Security where he wrote Nessus plugins.

Links:

Similar Presentations: