Mobile in-app purchase revenue reached 2 billion dollars in 2011 and is projected to reach 15 billion in 2015. In app purchases are a big deal; however, Android's In App Billing (IAB) API is confusing and often poorly implemented by application developers. This leads to flaws that can be exploited by attackers to circumvent the purchasing process and results in lost revenue for application creators. 'Hacked' APKs exist for just about every popular Android application that bypass the in app purchasing process; not only do these cost developers in lost revenue, they are also persistent vectors of mobile malware. During this talk, we will examine the IAB implementations of some of the top-grossing applications on Google Play and identify vulnerabilities and their remediation. We will also briefly look at popular Android applications Freedom and Lucky Patcher that focus on bypassing IAB and the mechanisms they employ to achieve this. We will conclude with some best practices to follow when implementing IAB in an Android application.
Copyright © 2004-2019. Virtual Security Research, LLC. All rights reserved. Design by Star Graphic Design