RandoriSec was at Hack In Paris 2019 and it was wonderful! This 9th edition took place at Maison de la Chimie in Paris (of course;)). The event was divided in two parts: June 16th to 18th: 3 days of trainings with 13 different subjects (IoT, ICS, Windows exploitation, Web and mobile hacking, etc.) June 19th to 20th: 2 days of talks with a unique track.
The March 23th, Guillaume Lopes gave a talk at BSides Dublin about how to bypass the payment on Google Play Billing API. Synopsis: In 2017, the estimated global in-app purchase revenue was projected to exceed $37 billion. Just in the Google Play Store, for 2018, more than 200 000 apps are offering in-app purchases. However, the Google Play Billing API is not offering a sufficient level of protection in order to ensure the security of the payment transactions.
Guillaume Lopes (@Guillaume_Lopes) and Davy Douhine (@ddouhine), senior pentesters, will share many techniques, tips and tricks to deliver to pentesters, bug bounty researchers or just curious a 100% hands-on 2 days mobile training. Goal is to introduce tools (Adb, Apktool, Jadx, Cycript, Frida, Hopper, Needle, etc.) and techniques to help you to work faster and in a more efficient way in the mobile (Android and iOS) ecosystem. This is the exact training that you would have liked to have before wasting your precious time trying and failing while testing.
As Google defines it “Google Play Billing is a service that lets you sell digital content from inside an Android app, or in-app.“ It can be used to sell one-time products like additional game levels, premium loot boxes, media files or subscriptions like online magazines or music streaming services. But what could possibly go wrong when this service is doing client side validation ? Guillaume worked on this for Checkmarx and published a complete blog post explaining the results and the detailed steps to bypass the InApp Billing process and obtain unlimited credits: https://www.