In-app Billing Vulnerability

This information is intended for developers of apps that have a vulnerable implementation of In-app billing. 

If your app is invoking the In-app billing service without setting a target package for the intent. This can enable a malicious package to bypass the Play store billing system and access items that have not been purchased.

Steps to fix:

  1. If you are using IabHelper, please start using the latest SDK
  2. If you are manually invoking the In-app billing service, please ensure that you are calling Intent.setPackage(“com.android.vending”) on any intents to "com.android.vending.billing.InAppBillingService.BIND".
  3. Sign in to your Developer Console and submit the updated version of your app. 
  4. Check back after five hours - we’ll show a warning message if the app hasn’t been updated correctly. 
     

For other technical questions, you can post to Stack Overflow and use the tag “android-security”. Note that questions about Play policy should not be posted to Stack Overflow.

Note that apps must also comply with the Developer Distribution Agreement and Content Policy. If you feel you have received this vulnerability warning in error, contact our policy support team through the Google Play Developer Help Center.

Was this helpful?
How can we improve it?