This course teaches how to exploit Android in-app purchases to make them unbillable. The learning outcomes include understanding in-app billing, Google Play API, and client-side signature verification. The course covers skills such as using Cydia Substrate, Java Virtual Machine, and exploiting common flaws in the system. The teaching method includes demonstrations, examples, and explanations of how the exploitation works. The intended audience for this course is developers and individuals interested in mobile app security and Android platform vulnerabilities.
Overview
Syllabus
Intro
Why InApp Billing
Games
Supercell
Mobile MMOs
Cheating the system
What is app billing
How it works
Google Play API
InApp Billing
InApp Billing Demo
IAB Helper
Intent For Purchasing
Cracked binaries
The problem for developers
Questions
Cydia Substrate
Java Virtual Machine
Substrate
Exploit Example
Common Flaws
Excessive Logging
Signature Verification
ClientSide Signature Verification
Demo
How does it work
IAB helper class
Replace Intent
Verify Signature Methods
The Context
ClientSide Trust
Pandora Example
Exceptions
SISV token
Obfuscation
Public Key
Unmodified Code
Heartbleed
Stack Overflow
