A Logo

Feel free to include my content in your page via my
RSS feed

Help Irongeek.com pay for
bandwidth and research equipment:

Subscribestar or Patreon

Search Irongeek.com:

Irongeek Button
Social-engineer-training Button

Help Irongeek.com pay for bandwidth and research equipment:


Unbillable: Exploiting Android In App Purchases - Alfredo Ramirez Derbycon 2015 (Hacking Illustrated Series InfoSec Tutorial Videos)

Unbillable: Exploiting Android In App Purchases
Alfredo Ramirez
Derbycon 2015

Mobile in-app purchase revenue reached 2 billion dollars in 2011 and is projected to reach 15 billion in 2015. In app purchases are an increasingly large revenue stream and now account for over 75% of mobile application revenue; however, Android's In App Billing (IAB) API is confusing and often poorly implemented by application developers. This leads to flaws that can be exploited by attackers to circumvent the purchasing process and results in lost revenue for application creators. Cracked APKs exist for just about every popular Android application that bypass the in app purchasing process; not only do these cost developers in lost revenue, they are also persistent vectors of mobile malware. During this talk, we will review Android's IAB API and then we will examine the IAB implementations of some of the top-grossing applications on Google Play and identify vulnerabilities and their remediation. We will discuss how to exploit real-world apps using the Cydia Substrate framework. We will also briefly look at popular Android applications Freedom and Lucky Patcher that focus on bypassing IAB and the mechanisms they employ to achieve this. We will conclude with some best practices to follow when implementing IAB in an Android application and propose potential solutions for the existing problems with IAB implementation in the Google Play market.

I am a Senior Security Consultant at VSRh in Boston with a background in web, mobile and product security. I previously worked at Tenable Network Security where I wrote Nessus plugins. My interest in In App Billing sparked a few years ago when I saw someone playing Candy Crush and wondered if I could get those Lollipop Hammers for free. It turns out I could. http://www.linkedin.com/in/aramirezjr www.vsecurity.com

Back to Derbycon 2015 video list

Printable version of this article

15 most recent posts on Irongeek.com:

If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.

Copyright 2020, IronGeek
Louisville / Kentuckiana Information Security Enthusiast