The March 23th, Guillaume Lopes gave a talk at BSides Dublin about how to bypass the payment on Google Play Billing API.
Synopsis:
In 2017, the estimated global in-app purchase revenue was projected to exceed $37 billion. Just in the Google Play Store, for 2018, more than 200 000 apps are offering in-app purchases. However, the Google Play Billing API is not offering a sufficient level of protection in order to ensure the security of the payment transactions. Already, in October 2013, Dominik Shürmann found 2 vulnerabilities in the Google Play Billing allowing to impersonate the Google Play Store and also to bypass the payment validation. This presentation will show how it is still possible to exploit those issues in order to bypass the payment process and why the Google Play Billing API is vulnerable by design.
The slides of this presentation are available here: