Google Play In-App Billing Library Hacked

Google Play In-App Billing Library Hacked: I successfully exploited two bugs in Google Play In-App Billing Library, which allow to impersonate the Google Play billing service and circumvent the signature verification. I was able to retrieve unlimited amounts of in-app items in games like Temple Run 2, which uses this library.

This blog post was released earlier than previously negotiated with Google, because Google was unable to provide proper attribution (they even stated “we recently discovered” in an email sent to Android developers). Additionally, they ignored questions regarding other bad security practices in this library. More information can be found before the conclusion.