Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to protect Google In-App Billing v3 from code hacking?

Google provides a convenient API to implement "in-app purchase" features on an Android app.

Along with these docs, there is also a dedicated chapter regarding the security level of this system and the good ways to design it. The web is full of articles about this step, from public key protection to remote server validation, but I really can't understand why all of these techniques should work when the main problem is, simply, code hacking.

Maybe there is a better term to explain it, but let me do a quick example. The basic idea of my application is that, at certain points, the user can't proceed unless he has purchased an item.

Something like:

public void accessTheVeryCoolFeature() {

    boolean haveIt = checkIfPurchased("verycoolfeature");
    if (haveIt) {
        // YEAH! let's open this very cool feature I paid 200 bucks for
    }
    else {
        // ok... where is my wallet?
        boolean purchased = startPurchaseFlow("verycoolfeature");
        if (purchased) {
            // my wallet is now empty but happy
        }
    }
}

Following the previous guidelines, the developer can protect his app during the purchase process, letting the startPurchaseFlow method to query a remote, trusted, server that validates the receipt. Purchases done using a "fake marketplace" should be avoided by this.

Another method is to protect the unlocked content by obfuscating the code. This is really simple with tools like ProGuard and should make the life of an "hacker" a bit harder.

Now, I tried to act the part of an hacker that want to read my code, especially the billing phase. It took me like 1 minute to spot the code I wrote in the previous example. Now the best part: what if I edit the (obfuscated) source code to do this?

public void atvf() {

    boolean hi = cip("verycoolfeature");
    hi = true; // <------------------------ AHAH!
    if (hi) {
        // YEAH! let's open this very cool feature for free
    }
    // ...
}

All the good words about remote verification and code obfuscation are totally gone. So why spend hours on trying to implement them when the very first problem is in a boolean value?

Am I missing something?

like image 208
TheUnexpected Avatar asked Sep 30 '14 16:09

TheUnexpected


People also ask

Can mobile apps be hacked?

In the name of releasing apps quickly and delivering a smooth user experience, mobile app security is often given short shrift.

What does in-app purchases mean in-app Store?

An in-app purchase is any additional purchase made within an app, like extra lives in a game. You can turn in-app purchases on or off on Apple and Android devices with just a few taps.


1 Answers

Unless your app is heavily dependent on its functionality being in a server - as in each functionality stays on the server and the app is just a client tool to call those server APIs, there is nothing you can do. If indeed it's a server-based app - you can check each incoming request (e.g. the app can send a one time session hash) if a valid transaction exists for it and is paid. If not, deny the request.

The app's code is running on the client's phone. If the hacker gains access to that code and is free to modify it to override any billing validations - there is nothing you can do. You should make sure he doesn't gain access to that source code in the first place.

like image 115
Dzhuneyt Avatar answered Nov 15 '22 19:11

Dzhuneyt