STEPS TO REPRODUCE:
1. web service generates nonce
2. user buys item with nonce in developer payload, goes trough buying procedure
successfully
3. web service verifies purchase succesfully
4. user records web service communication
5. because the iab v3 api returns the previous purchase data, with a now
invalid nonce, user can do a replay attack on web service, with the previously
recorded communication.
6. web service receives the original data again, that the purchase was verified
with, and can't verify again that this is not an invalid purchase, and to
support restore functionality, has to believe that the purchase is valid.
EXPECTED OUTPUT:
user should not be able to do replay attack while restoring purchases.
ACTUAL OUTPUT:
user is able to do replay attack, because we can't add a new nonce to the
purchase json.
User buys every item once, records webservice communication, and can distribute
an apk that contains the recorded communication, which allows any user with a
hacked apk to download every product.
OS VERSION:
any that has support for iab v3
MARKET/MYAPPS VERSION:
any that has support for iab v3
DEVICE:
any that has support for iab v3
NOTES:
in in app billing v2 it was possible to add the nonce when the app queried the
previous purchase data, now we can only query the cached purchase data, can't
add the new developer payload, so functionality that was protecting against
replay attacks has been removed since iab v2. why?
Original issue reported on code.google.com by tamas.be...@redact-media.com on 12 Jun 2013 at 9:20
Original issue reported on code.google.com by
tamas.be...@redact-media.comon 12 Jun 2013 at 9:20