DeepSec 2019 Talk: Abusing Google Play Billing for Fun and Unlimited Credits! – Guillaume Lopes

Sanna/ November 22, 2019/ Conference, Security

In 2017, the estimated global in-app purchase revenue was projected to exceed $37 billion. Just in the Google Play Store, for 2018, more than 200 000 apps are offering in-app purchases. However, the Google Play Billing API is vulnerable by design and allows an attacker to bypass the payment process. I analyzed several android games and found that it’s possible to bypass the payment process. This presentation will show real vulnerable applications (Fruit Ninja, Doodle Jump, etc.).

We asked Guillaume a few more questions about his talk.

Please tell us the top 5 facts about your talk.

  • The vulnerability presented is really easy to exploit
  • Client side issues are not dead in 2019!
  • It seems nobody cares about losing money in the game industry…
  • Very few vendors fixed their implementation
  • Real vulnerable applications will be presented during the talk 🙂

How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?

At BSides Lisbon, in 2017, I was following a talk from Jérémy Matos about abusing an Android In-app Billing feature thanks to a misunderstood integration. In his talk, he presented an Android app (PandaPop if I remember correctly) having a misconfiguration on the Play Billing implementation. It was possible to bypass the payment by using specific test keywords, normally reserved when developing the application. From this point on I started digging on how the Google Play billing API was working and found that in fact many Android apps implement The Google Play Billing in an unsecure way.

Why do you think this is an important topic?

First, because payment transactions are important. If an attacker can easily bypass payments in order to obtain the product, it is basically game over for your app. Then, it shows that access control performed on the client side can not be trusted and should be prevented.

Is there something you want everybody to know – some good advice for our readers maybe?

Don’t trust the client! If your security relies on control implemented on the client side, it’s going to be breached at some point.

A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?

I hope Google is going to review the Google Play Billing API in order to prevent people implementing security protections locally.


Guillaume Lopes is a pentester with 10 years of experience in different fields (Active Directory, Windows, Linux, Web applications, Wifi, Android). Currently he’s working as a Senior Penetration Tester at RandoriSec and also as a member of the Checkmarx Application Security Research Team. He also likes to play CTF (Hackthebox, Insomni’hack, Nuit du Hack, BSides Lisbon, etc.) and gives a hand to the Tipi’hack team.

Share this Post