what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Google Play Billing Bypass

Google Play Billing Bypass
Posted Oct 29, 2013
Authored by Dominik Schurmann

All Google Play Billing Library 3 versions before Oct, 8 distributed via Android SDK and marketbilling on Googlecode are susceptible to impersonation and signature verification vulnerabilities.

tags | advisory, vulnerability, bypass
SHA-256 | f68f31523fe048d0a532378407c09820e34245d3b9aac37fc00b428562210019

Google Play Billing Bypass

Change Mirror Download
HTML Version with Screenshots:
http://sufficientlysecure.org/index.php/2013/10/29/google-play-billing-hacked/

I successfully exploited two bugs in Google Play Billing Library, which
allows to impersonate the Google Play billing service and circumvent the
signature verification. I was able to retrieve unlimited amounts of
in-app items in games like Temple Run 2, which uses this library.

This blog post was released earlier than previously negotiated with
Google, because Google was unable to provide proper attribution (they
even stated “we recently discovered” in an email sent to Android
developers). Additionally, they ignored questions regarding other bad
security practices in this library. More information can be found before
the conclusion.

Vulnerable libraries
--------------------

All Google Play Billing Library v3 versions before Oct, 8 distributed
via Android SDK and marketbilling on Googlecode.
Problem description

- Any app can define a new intent-filter with a high priority to
impersonate the official in-app billing service. See my
AndroidManifest.xml how to do that.
- Signature verification returns true if given INAPP_DATA_SIGNATURE is
an empty String (“”).

Proposed fixes
--------------

Browse the diff
https://code.google.com/p/marketbilling/source/detail?r=7bc191a004483a1034b758e1df0bda062088d840
and merge the modifications into the appropriate parts of your code.
Proof of concept

- Clone https://github.com/dschuermann/billing-hack, compile the
project, and install the APK on your device.
- Then install Temple Run 2 or similar apps, and go to the in-app items
and “buy” some items.

Remarks about the vulnerabilities
---------------------------------

The impersonation vulnerability is quite interesting, because it shows
that an Android principle regarding IPC with Intents was ignored. If an
app, e.g., Google Play Services, register an Intent filter providing an
AIDL remote service, any other app can also do that using the same name.
To prevent collisions, the simplest fix is to restrict the scope of of
the Intent used for binding to that service from client side by setting
bindIntent.setPackage(“com.android.vending”).

The other bug is a typical crypto implementation fail, but there is also
a take-home message here. The verify method checks if the signature
String is empty before going on to the actual verification.
Unfortunately the method returns true per default at the bottom of the
method. In my opinion verification methods should be always programmed
with this in mind: always return false, return true only on success!
Remarks about Responsible Disclosure Process

After reporting the vulnerability and some emails back and forth, I got
an email to my Google Play developer email account, informing me about
the following:

“If you previously used the In-app billing sample code to build your
in-app billing system, please use the recently-updated sample code as it
addresses an exploitable flaw we recently discovered (note that this
only affects the helper sample code; the core system and in-app billing
service itself was not affected).”

I think it’s unfair that they were unable to provide attribution,
especially as I explicitly asked about mentioning me as a security
researcher in prior communication with them. Additionally Google payed
no bug bounty, although this library is quite important as many app
developers rely on it for in-app billing.

Advertisement
-------------

If you are a programmer, consider working with us on OpenPGP Keychain to
provide secure emailing for Android. I will help on pull requests and be
happy about every commit!

Login or Register to add favorites

File Archive:

July 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    27 Files
  • 2
    Jul 2nd
    10 Files
  • 3
    Jul 3rd
    35 Files
  • 4
    Jul 4th
    27 Files
  • 5
    Jul 5th
    18 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    28 Files
  • 9
    Jul 9th
    44 Files
  • 10
    Jul 10th
    24 Files
  • 11
    Jul 11th
    25 Files
  • 12
    Jul 12th
    11 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    28 Files
  • 16
    Jul 16th
    6 Files
  • 17
    Jul 17th
    34 Files
  • 18
    Jul 18th
    6 Files
  • 19
    Jul 19th
    34 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    19 Files
  • 23
    Jul 23rd
    17 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close