Unbillable - Exploiting Android In-App Purchases

Explore Android in-app purchase exploitation techniques in this 44-minute conference talk from Derbycon 2015. Delve into the intricacies of in-app billing, its implementation, and vulnerabilities. Learn about the Google Play API, IAB Helper, and common flaws in mobile game monetization. Examine real-world examples, including Supercell games and mobile MMOs. Discover how cracked binaries and Cydia Substrate can be used to manipulate the Java Virtual Machine. Analyze client-side trust issues, signature verification methods, and potential exploits. Investigate the Pandora example, SISV token obfuscation, and public key vulnerabilities. Gain insights into protecting against these exploits and understanding the implications of excessive logging and client-side signature verification.

Intro
Why InApp Billing
Games
Supercell
Mobile MMOs
Cheating the system
What is app billing
How it works
Google Play API
InApp Billing
InApp Billing Demo
IAB Helper
Intent For Purchasing
Cracked binaries
The problem for developers
Questions
Cydia Substrate
Java Virtual Machine
Substrate
Exploit Example
Common Flaws
Excessive Logging
Signature Verification
ClientSide Signature Verification
Demo
How does it work
IAB helper class
Replace Intent
Verify Signature Methods
The Context
ClientSide Trust
Pandora Example
Exceptions
SISV token
Obfuscation
Public Key
Unmodified Code
Heartbleed
Stack Overflow