Android Question I keep receiving fake app purchases InAppBilling3

Ferdari

Active Member
Licensed User
Longtime User
As the title says, I keep receiving fake in-app purchases, the problem is that this purchases unlocks PRO features successfully as they intercept the purchases intents and returns true.

purchase tokens like:
B4X:
fwtdmoyobciuqjdqbfmlpkny

Fake order ids like:
B4X:
7836133416594986962.9139750161832066

Google says there is a vulnerable class in the InAppBilling3:
com.google.android.gms.internal.cu

If i click the recomendation it says:
This information is intended for developers of apps that have a vulnerable implementation of In-app billing.

If your app is invoking the In-app billing service without setting a target package for the intent. This can enable a malicious package to bypass the Play store billing system and access items that have not been purchased.

Steps to fix:

  1. If you are using IabHelper, please start using the latest SDK.
  2. If you are manually invoking the In-app billing service, please ensure that you are calling Intent.setPackage(“com.android.vending”) on any intents to "com.android.vending.billing.InAppBillingService.BIND".
  3. Sign in to your Developer Console and submit the updated version of your app.
  4. Check back after five hours - we’ll show a warning message if the app hasn’t been updated correctly.
Anyone know how to modify intent, it should be inside the Library. @Erel

im using the new Google Play Services version 43 and the sdk\platforms\android-25\android.jar
 
Last edited:

Ferdari

Active Member
Licensed User
Longtime User
Where do i need to start the intent?
im using the tutorial
B4X:
Public Sub manager_PurchaseCompleted(Success As Boolean, Product As Purchase)
If Success = True Then
   'success code
end if
end sub

and when i want to show an in-app purchase:
B4X:
manager.RequestPayment("noads", "inapp","")

im thinking it should be when calling in-app purchase, but how do i set product "noads"?

EDIT:
Or this is on the version 1.31? i was on 1.11
 
Last edited:
Upvote 0

Ferdari

Active Member
Licensed User
Longtime User
The server solution should be implemented with a server. This means that the client code sends a http request to the server and then waits for the server to verify the purchase.
i meaning if the 1.31 uses the new intent:
B4X:
Intent serviceIntent = new Intent("com.android.vending.billing.InAppBillingService.BIND");
serviceIntent.setPackage("com.android.vending");
 
Upvote 0

Ferdari

Active Member
Licensed User
Longtime User
Google Play again detected the same vulnerabity on com.google.android.gms.internal.cu

it could be the IabHelper inside the plugin??:
Steps to fix:
  1. If you are using IabHelper, please start using the latest SDK.
  2. If you are manually invoking the In-app billing service, please ensure that you are calling Intent.setPackage(“com.android.vending”) on any intents to "com.android.vending.billing.InAppBillingService.BIND".
  3. Sign in to your Developer Console and submit the updated version of your app.
  4. Check back after five hours - we’ll show a warning message if the app hasn’t been updated correctly.

its say needs the lastest SDk from IabHelper
@Erel

If there is no solution to the vulnerability it must be necessary to check from server every time, i will try to implement.
 
Upvote 0
Top