HIP19: Abusing Google Play Billing for fun and unlimited credits! - G. Lopes
Abusing Google Play Billing for fun and unlimited credits! by Guillaume Lopes https://hackinparis.com/talks #talk-2019-abusing-google-play-billing-for-fun-and-unlimited-credits The Google Play Billing API is vulnerable by design and allows an attacker to bypass the payment process. I analyzed several android games and found that it possible to bypass the payment process. This presentation will show real vulnerable applications (Fruit Ninja, Doodle Jump, etc.) The agenda of the presentation will be divided as follow: 1. Google Play Billing Presentation: Presentation of the workflow and how it works. In addition, a focus will be done on the local validation of the process. 2. Known vulnerabilities: Review of the vulnerabilities found by Dominik Schürmann. Demonstration of why the fixes performed by Google are not enough and how it is still possible to bypass the payment process. 3. Vulnerable applications: Example of vulnerable applications trying to protect the billing process (Doodle Jump, Snoopy Pop, Fruit Ninja, etc.) with different techniques (obfuscation, shared libraries, etc.). The presentation will focus on how the billing process is performed and how by reverse engineering the application, it is still possible to bypass the payment process. 4. Conclusion: Sum up of the numbers of vulnerable applications. Comparison with other billing libraries (Amazon and Samsung)
Abusing Google Play Billing for fun and unlimited credits! by Guillaume Lopes https://hackinparis.com/talks #talk-2019-abusing-google-play-billing-for-fun-and-unlimited-credits The Google Play Billing API is vulnerable by design and allows an attacker to bypass the payment process. I analyzed several android games and found that it possible to bypass the payment process. This presentation will show real vulnerable applications (Fruit Ninja, Doodle Jump, etc.) The agenda of the presentation will be divided as follow: 1. Google Play Billing Presentation: Presentation of the workflow and how it works. In addition, a focus will be done on the local validation of the process. 2. Known vulnerabilities: Review of the vulnerabilities found by Dominik Schürmann. Demonstration of why the fixes performed by Google are not enough and how it is still possible to bypass the payment process. 3. Vulnerable applications: Example of vulnerable applications trying to protect the billing process (Doodle Jump, Snoopy Pop, Fruit Ninja, etc.) with different techniques (obfuscation, shared libraries, etc.). The presentation will focus on how the billing process is performed and how by reverse engineering the application, it is still possible to bypass the payment process. 4. Conclusion: Sum up of the numbers of vulnerable applications. Comparison with other billing libraries (Amazon and Samsung)