How secure is in app billing in Android?

Question

I am developing a game and I would like to include some in-app purchases.

I decided to store the purchased items in a database and adding some checks to it. However, there is still one problem: Wouldn't it be possible to simply disassemble the app, exchange the response codes (eg. USER_CANCELED with OK) so, every time I open the dialogue and abort, my game thinks I bought the item?

I did try it on my app so far, however as I lack experience with baksmali, I didn't work for me. In theory, would be (easily) possible? And if yes, what exactly do you have to change in smali and what are countermeasures?

Thanks!

Answer 1

Just an opinion: I don't have much knowledge about android apps, but about the security scope, You should make a decision about prevent cracking of your software or not or how much. The higher security will yield a more troubled application in time and cause your real customers feel bad or will steal their time (because of the decreasing performance). And you will spend your time to secure your application instead of making it a better and more useful. I advice you to read this nice comment too. "if people want your application cracked they will"

Answer 2

Android has an In-app Billing security guidelines doc:

https://developer.android.com/google/play/billing/billing_best_practices.html

This question will invariably pop up all the time and the answer is that there's no "real solution" that will defeat all piracy. However, there are various techniques that will mitigate the problem and prevent piracy on a large scale.

It is up to the app developer to decide how far he/she is willing to go to limit piracy. Multiple versions through obfuscation and server-side verification and revocability are good techniques, more than that is probably overkill. The conventional wisdom is that it might not be important to worry about the small number of people who have the time and knowledge to hack one instance of the app.

Answer 3

If you decompile, change code and pack it again as apk, it needs to be signed with the same key you used before - or it won't be possible to make in app purchases through Play Store with it.

The items on the store can only be accessed by an app similarly signed as the one you uploaded through console.

However, it is possible to mimick the process without even reaching the store if someone completely changes the code. To prevent this, you should check for the legitimacy of the purchase through a back-end server. You may want to check this question and the answer on how to do that.