Reputation: 6382
How secure is in app billing in Android?
I am developing a game and I would like to include some in-app purchases.
I decided to store the purchased items in a database and adding some checks to it. However, there is still one problem: Wouldn't it be possible to simply disassemble the app, exchange the response codes (eg. USER_CANCELED with OK) so, every time I open the dialogue and abort, my game thinks I bought the item?
I did try it on my app so far, however as I lack experience with baksmali, I didn't work for me. In theory, would be (easily) possible? And if yes, what exactly do you have to change in smali and what are countermeasures?
Thanks!
Upvotes: 1
Views: 4006
Answers (3)
Reputation: 2108
Android has an In-app Billing security guidelines doc:
https://developer.android.com/google/play/billing/billing_best_practices.html
This question will invariably pop up all the time and the answer is that there's no "real solution" that will defeat all piracy. However, there are various techniques that will mitigate the problem and prevent piracy on a large scale.
It is up to the app developer to decide how far he/she is willing to go to limit piracy. Multiple versions through obfuscation and server-side verification and revocability are good techniques, more than that is probably overkill. The conventional wisdom is that it might not be important to worry about the small number of people who have the time and knowledge to hack one instance of the app.
Upvotes: 2
Reputation: 101
If you decompile, change code and pack it again as apk, it needs to be signed with the same key you used before - or it won't be possible to make in app purchases through Play Store with it.
The items on the store can only be accessed by an app similarly signed as the one you uploaded through console.
However, it is possible to mimick the process without even reaching the store if someone completely changes the code. To prevent this, you should check for the legitimacy of the purchase through a back-end server. You may want to check this question and the answer on how to do that.
Upvotes: 0
Reputation: 600
Just an opinion: I don't have much knowledge about android apps, but about the security scope, You should make a decision about prevent cracking of your software or not or how much. The higher security will yield a more troubled application in time and cause your real customers feel bad or will steal their time (because of the decreasing performance). And you will spend your time to secure your application instead of making it a better and more useful. I advice you to read this nice comment too. "if people want your application cracked they will"
Upvotes: 0
Related Questions
- Android - protecting in app purchases with server side verification
- Android In-App billing security issues?
- Google in app purchase and cracking
- Protection from Freedom
- In-app Billing API (IAB Version 3) Security
- Secure in-app purchase for Android
- Best practices to make your android app's in-app purchase process harder to break?
- Android in-app billing verification
- How much effort do I put in my security for Android In App Billing?
- In-App Billing Security and Design questions