adingbox / marketbilling

Automatically exported from code.google.com/p/marketbilling
0 stars 0 forks source link

iab v3 restoring purchase is not protected against replay attacks #127

Open GoogleCodeExporter opened 8 years ago

GoogleCodeExporter commented 8 years ago
STEPS TO REPRODUCE:
1. web service generates nonce
2. user buys item with nonce in developer payload, goes trough buying procedure 
successfully
3. web service verifies purchase succesfully
4. user records web service communication
5. because the iab v3 api returns the previous purchase data, with a now 
invalid nonce, user can do a replay attack on web service, with the previously 
recorded communication.
6. web service receives the original data again, that the purchase was verified 
with, and can't verify again that this is not an invalid purchase, and to 
support restore functionality, has to believe that the purchase is valid.

EXPECTED OUTPUT:
user should not be able to do replay attack while restoring purchases.

ACTUAL OUTPUT:
user is able to do replay attack, because we can't add a new nonce to the 
purchase json.
User buys every item once, records webservice communication, and can distribute 
an apk that contains the recorded communication, which allows any user with a 
hacked apk to download every product.

OS VERSION:
any that has support for iab v3

MARKET/MYAPPS VERSION:
any that has support for iab v3

DEVICE:
any that has support for iab v3

NOTES:
in in app billing v2 it was possible to add the nonce when the app queried the 
previous purchase data, now we can only query the cached purchase data, can't 
add the new developer payload, so functionality that was protecting against 
replay attacks has been removed since iab v2. why?

Original issue reported on code.google.com by tamas.be...@redact-media.com on 12 Jun 2013 at 9:20