exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Google Play Billing Bypass

Google Play Billing Bypass
Posted Oct 29, 2013
Authored by Dominik Schurmann

All Google Play Billing Library 3 versions before Oct, 8 distributed via Android SDK and marketbilling on Googlecode are susceptible to impersonation and signature verification vulnerabilities.

tags | advisory, vulnerability, bypass
SHA-256 | f68f31523fe048d0a532378407c09820e34245d3b9aac37fc00b428562210019

Google Play Billing Bypass

Change Mirror Download
HTML Version with Screenshots:

I successfully exploited two bugs in Google Play Billing Library, which
allows to impersonate the Google Play billing service and circumvent the
signature verification. I was able to retrieve unlimited amounts of
in-app items in games like Temple Run 2, which uses this library.

This blog post was released earlier than previously negotiated with
Google, because Google was unable to provide proper attribution (they
even stated “we recently discovered” in an email sent to Android
developers). Additionally, they ignored questions regarding other bad
security practices in this library. More information can be found before
the conclusion.

Vulnerable libraries

All Google Play Billing Library v3 versions before Oct, 8 distributed
via Android SDK and marketbilling on Googlecode.
Problem description

- Any app can define a new intent-filter with a high priority to
impersonate the official in-app billing service. See my
AndroidManifest.xml how to do that.
- Signature verification returns true if given INAPP_DATA_SIGNATURE is
an empty String (“”).

Proposed fixes

Browse the diff
and merge the modifications into the appropriate parts of your code.
Proof of concept

- Clone https://github.com/dschuermann/billing-hack, compile the
project, and install the APK on your device.
- Then install Temple Run 2 or similar apps, and go to the in-app items
and “buy” some items.

Remarks about the vulnerabilities

The impersonation vulnerability is quite interesting, because it shows
that an Android principle regarding IPC with Intents was ignored. If an
app, e.g., Google Play Services, register an Intent filter providing an
AIDL remote service, any other app can also do that using the same name.
To prevent collisions, the simplest fix is to restrict the scope of of
the Intent used for binding to that service from client side by setting

The other bug is a typical crypto implementation fail, but there is also
a take-home message here. The verify method checks if the signature
String is empty before going on to the actual verification.
Unfortunately the method returns true per default at the bottom of the
method. In my opinion verification methods should be always programmed
with this in mind: always return false, return true only on success!
Remarks about Responsible Disclosure Process

After reporting the vulnerability and some emails back and forth, I got
an email to my Google Play developer email account, informing me about
the following:

“If you previously used the In-app billing sample code to build your
in-app billing system, please use the recently-updated sample code as it
addresses an exploitable flaw we recently discovered (note that this
only affects the helper sample code; the core system and in-app billing
service itself was not affected).”

I think it’s unfair that they were unable to provide attribution,
especially as I explicitly asked about mentioning me as a security
researcher in prior communication with them. Additionally Google payed
no bug bounty, although this library is quite important as many app
developers rely on it for in-app billing.


If you are a programmer, consider working with us on OpenPGP Keychain to
provide secure emailing for Android. I will help on pull requests and be
happy about every commit!

Login or Register to add favorites

File Archive:

June 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    18 Files
  • 2
    Jun 2nd
    13 Files
  • 3
    Jun 3rd
    0 Files
  • 4
    Jun 4th
    0 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    0 Files
  • 7
    Jun 7th
    0 Files
  • 8
    Jun 8th
    0 Files
  • 9
    Jun 9th
    0 Files
  • 10
    Jun 10th
    0 Files
  • 11
    Jun 11th
    0 Files
  • 12
    Jun 12th
    0 Files
  • 13
    Jun 13th
    0 Files
  • 14
    Jun 14th
    0 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    0 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    0 Files
  • 20
    Jun 20th
    0 Files
  • 21
    Jun 21st
    0 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By