| |||||
| |||||
Search Irongeek.com:
Help Irongeek.com pay for bandwidth and research equipment: |
Mobile in-app purchase revenue reached 2 billion dollars in 2011 and is projected to reach 15 billion in 2015. In app purchases are an increasingly large revenue stream and now account for over 75% of mobile application revenue; however, Android's In App Billing (IAB) API is confusing and often poorly implemented by application developers. This leads to flaws that can be exploited by attackers to circumvent the purchasing process and results in lost revenue for application creators. Cracked APKs exist for just about every popular Android application that bypass the in app purchasing process; not only do these cost developers in lost revenue, they are also persistent vectors of mobile malware. During this talk, we will review Android's IAB API and then we will examine the IAB implementations of some of the top-grossing applications on Google Play and identify vulnerabilities and their remediation. We will discuss how to exploit real-world apps using the Cydia Substrate framework. We will also briefly look at popular Android applications Freedom and Lucky Patcher that focus on bypassing IAB and the mechanisms they employ to achieve this. We will conclude with some best practices to follow when implementing IAB in an Android application and propose potential solutions for the existing problems with IAB implementation in the Google Play market. I am a Senior Security Consultant at VSRh in Boston with a background in web, mobile and product security. I previously worked at Tenable Network Security where I wrote Nessus plugins. My interest in In App Billing sparked a few years ago when I saw someone playing Candy Crush and wondered if I could get those Lollipop Hammers for free. It turns out I could.
http://www.linkedin.com/in/aramirezjr
www.vsecurity.com
15 most recent posts on Irongeek.com:
|
If you would like to republish one of the articles from this site on your
webpage or print journal please contact IronGeek.
Copyright 2020, IronGeek
Louisville / Kentuckiana Information Security Enthusiast