Android Question I keep receiving fake app purchases InAppBilling3

[Ferdari]

As the title says, I keep receiving fake in-app purchases, the problem is that this purchases unlocks PRO features successfully as they intercept the purchases intents and returns true.

purchase tokens like:

fwtdmoyobciuqjdqbfmlpkny

Fake order ids like:

7836133416594986962.9139750161832066

Google says there is a vulnerable class in the InAppBilling3:
com.google.android.gms.internal.cu

If i click the recomendation it says:

This information is intended for developers of apps that have a vulnerable implementation of In-app billing.

If your app is invoking the In-app billing service without setting a target package for the intent. This can enable a malicious package to bypass the Play store billing system and access items that have not been purchased.

Steps to fix:

1. If you are using IabHelper, please start using the latest SDK.
2. If you are manually invoking the In-app billing service, please ensure that you are calling Intent.setPackage(“com.android.vending”) on any intents to "com.android.vending.billing.InAppBillingService.BIND".
3. Sign in to your Developer Console and submit the updated version of your app.
4. Check back after five hours - we’ll show a warning message if the app hasn’t been updated correctly.

Anyone know how to modify intent, it should be inside the Library. @Erel

im using the new Google Play Services version 43 and the sdk\platforms\android-25\android.jar

 

[Erel]

This is already implemented in the library:

  Intent serviceIntent = new Intent("com.android.vending.billing.InAppBillingService.BIND");
     serviceIntent.setPackage("com.android.vending");

You can check the purchases with a server solution: https://www.b4x.com/android/forum/threads/google-play-developer-api.81839/

 

[Ferdari]

Thank you Erel i will try right now

 

[Ferdari]

Where do i need to start the intent?
im using the tutorial

Public Sub manager_PurchaseCompleted(Success As Boolean, Product As Purchase)
If Success = True Then
   'success code
end if
end sub

and when i want to show an in-app purchase:

manager.RequestPayment("noads", "inapp","")

im thinking it should be when calling in-app purchase, but how do i set product "noads"?

EDIT:
Or this is on the version 1.31? i was on 1.11

 

[Erel]

The server solution should be implemented with a server. This means that the client code sends a http request to the server and then waits for the server to verify the purchase.

 

[Ferdari]

The server solution should be implemented with a server. This means that the client code sends a http request to the server and then waits for the server to verify the purchase.

i meaning if the 1.31 uses the new intent:

Intent serviceIntent = new Intent("com.android.vending.billing.InAppBillingService.BIND");
serviceIntent.setPackage("com.android.vending");

 

[Erel]

meaning if the 1.31 uses the new intent:

Yes. It is implemented in v1.31.

 

[Ferdari]

Google Play again detected the same vulnerabity on com.google.android.gms.internal.cu

it could be the IabHelper inside the plugin??:

Steps to fix:

1. If you are using IabHelper, please start using the latest SDK.
2. If you are manually invoking the In-app billing service, please ensure that you are calling Intent.setPackage(“com.android.vending”) on any intents to "com.android.vending.billing.InAppBillingService.BIND".
3. Sign in to your Developer Console and submit the updated version of your app.
4. Check back after five hours - we’ll show a warning message if the app hasn’t been updated correctly.

its say needs the lastest SDk from IabHelper
@Erel

If there is no solution to the vulnerability it must be necessary to check from server every time, i will try to implement.

 

[Erel]

As I wrote, the setPackage call is there.

 

[Ferdari]

As I wrote, the setPackage call is there.

Oki doki, thank you erel