Google Play Billing

[Training/Conference] DeepSec 2019

Training During the DeepSec event, we gave our Mobile Hacking training (this training was also provided at Hack In Paris). This training presented the toolset needed when assessing mobile applications (such as adb, Apktool, Jadx, Androguard, Cycript, Frida, Needle and MobSF) and, also, the techniques to help you to work faster and in a more efficient way in the mobile ecosystem. This 2-days training focused on Android and iOS applications.

Continue reading

[PUBLICATION] Éprouver la sécurité des applications mobiles

Guillaume et moi-même avons écrit trois articles sur la sécurité des applications mobiles (tout le dossier en fait ;), qui ont été publiés dans le magazine MISC106 de novembre/décembre : Contournement de l’API Google Play Billing (for fun and profit ;) Auditer la sécurité d’une application iOS (avec et sans jailbreak) Présentation du Mobile Security Testing Guide de l’OWASP (devenu LA référence dans le domaine) Comme à notre habitude nous aurions aimé opter pour une licence CC dans le but de mettre les articles à disposition au plus grand nombre dès l’expiration des droits d’auteur, mais cela n’a été possible que pour un seul des trois articles.

Continue reading

[Training/Conference] DeepSec 2019 - Mobile Hacking / Abusing Google Play Billing

RandoriSec is going back to DeepSec (Vienna, Austria) this year. Guillaume Lopes will give a talk about abusing the Google Play Billing API and he’ll give a training with Davy Douhine. The Mobile Hacking training, running the 27 and 28 November, is intended for penetration testers, bug bounty researchers or just curious who would like to improve their security testing skills applied to the mobile ecosystem. The objective of the course is to introduce the basic toolset (Adb, Apktool, Jadx, Cycript, Drozer, Frida, Hopper, Needle, etc.

Continue reading

[Conference] BSides Dublin 2019 – Abusing Google Play Billing for fun and unlimited credits!

The March 23th, Guillaume Lopes gave a talk at BSides Dublin about how to bypass the payment on Google Play Billing API. Synopsis: In 2017, the estimated global in-app purchase revenue was projected to exceed $37 billion. Just in the Google Play Store, for 2018, more than 200 000 apps are offering in-app purchases. However, the Google Play Billing API is not offering a sufficient level of protection in order to ensure the security of the payment transactions.

Continue reading

Get Freebies by Abusing the Android InApp Billing API

As Google defines it “Google Play Billing is a service that lets you sell digital content from inside an Android app, or in-app.“ It can be used to sell one-time products like additional game levels, premium loot boxes, media files or subscriptions like online magazines or music streaming services. But what could possibly go wrong when this service is doing client side validation ? Guillaume worked on this for Checkmarx and published a complete blog post explaining the results and the detailed steps to bypass the InApp Billing process and obtain unlimited credits: https://www.

Continue reading