In-app Billing Vulnerability

[fadaytak]

im using the v 3.0.2 version and i got this message in my google play console

Security alert
Your app is using an incorrect implementation of in-app billing. Please see this Google Help Center     article for more information.
Affects APK version 10.

https://support.google.com/faqs/answer/7054270?hl=en

is this vulnerabily was fixed in the latest release?

cdt,

[lucasm-iRonin]

I have the same problem. I also tried to rebuild the app with SDK 23 but it didn't help.

I tried to use latest stable version (4.0.0) but it has a min SDK 6.0 as a requirements while latest stable TI SDK is 5.3.1.GA.

[jonatanjumbert]

I have the same problem.

Message I got in developer console:

"Alerta de seguridad
Tu aplicación incluye una implementación no segura del controlador WebViewClient.onReceivedSslError. En concreto, la implementación ignora todos los errores de validación de certificados SSL, por lo que tu aplicación será vulnerable a los ataques "man-in-the-middle". Un atacante podría modificar el contenido de la vista WebView afectada, leer los datos que se hayan transmitido (como las credenciales de inicio de sesión) y ejecutar código en la aplicación con JavaScript."

[natefollmer]

I do not see this error and I am using 3.0.2, building with 5.4.0 GA (Was using 5.3.1 before this with no error either). What Android SDK's are you targeting? My min is 14, target is 23.

[AlokGupta007]

I used the latest version latest stable version (4.0.0) with titanium sdk 5.3.0 and still giving the same error.
Please fix this. It's urgent.

[natefollmer]

Are any of you working with subscriptions or consumable products? That's the only two things my app doesn't use and I'm not seeing this error.

[AlokGupta007]

This is the inapp billing error and I am using subscription product. Please give the solution.
It says like this- https://support.google.com/faqs/answer/7054270

[AlokGupta007]

Hello Please help me regarding this issue. It's urgent.

[ashcoding]

DO NOT use v4.0.0. It says Compiled to work with Titanium SDK v6.0.0+. You are using 5.3.0.
Use https://github.com/appcelerator-archive/ti.inappbilling/releases/tag/v3.0.2

[ashcoding]

Also, if you have errors, please provide logs and reproducible steps. Without those, it's very hard to help or assist.

[AlokGupta007]

On building the project there is no error but on uploading to play store and when it publish Google send the error says like invalid inappbilling. please go through this link.
https://support.google.com/faqs/answer/7054270

[prateek7031]

I m also facing the same problem, I mentioned to the google and they mentioned me:-
Hi Prateek,

Thanks for contacting Google Play Developer Support!

I see that you have received an alert regarding your app(s) using an unsafe implementation of Google Play’s in-app billing service.

Firstly, please note that Google Play is not currently enforcing on apps with this unsafe implementation. These alerts are being sent to developers on an informational basis only. No action will be taken against your apps or your developer account if you choose not to act upon them.

Please also note that if your app(s) does not contain any active in-app products you may simply ignore this warning.

However, we do encourage developers to address these security concerns as soon as possible if they are indeed present in your app's APK. Invoking the in-app billing service without setting a target package for the intent can enable a malicious package to bypass the Play store billing system and access items that have not been purchased.

If your app appears to be abiding by all practices described in the help center article linked below, and you still see this alert in the Developer Console, you may also need to ensure that your app(s) is using the newest version of Google Play Services.

https://support.google.com/faqs/answer/7054270?hl=en

Please be aware that if you are using IabHelper, you must still use the most-recent SDK even if the manual implementation appears to be correct as per our guidelines linked above. You can get the most recent SDK of IabHelper here:

https://github.com/googlesamples/android-play-billing/

If these vulnerabilities are coming from a third party development tool or library, please work with them to address the security concerns.

To verify that the vulnerability is addressed, please submit the updated version of your app to the Developer Console and wait 5 hours. If the app hasn’t been updated correctly, the warning remain.

I hope this helps! If you have any further questions, please let me know. I'm happy to help.

Regards,
Alex
Google Play Developer Support

[fadaytak]

@Geek-Fish im using consumable one

I even compiled the module with the latest version of the SDK and the latest version of the file IabHelper.java and i got every time the same warning message.

i'm using the 5.4.0.GA sdk minSdkVersion="15" android:targetSdkVersion="23"

how can i add the latest version of google-play-services ?

[natefollmer]

I believe someone will have to download the latest SDK and compare it with
the module to make any changes to the JS code, then recompile. I will look
at this eventually, but can't just yet.

On Sun, Aug 28, 2016, 3:37 PM fadaytak [email protected] wrote:

@Geek-Fish https://github.com/Geek-Fish im using consumable one

I even compiled the module with the latest version of the SDK and the
latest version of the file IabHelper.java and i got every time the same
warning message.

i'm using the 5.4.0.GA sdk minSdkVersion="15"
android:targetSdkVersion="23"

how can i add the latest version of google-play-services ?

—
You are receiving this because you were mentioned.

Reply to this email directly, view it on GitHub
#18 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/AIN8zNxzK9RySG5y2qgQbcMPxZT3t7vTks5qkeOAgaJpZM4Je6uk
.

[fadaytak]

how can i get the latest version of "google-play-services.jar"
with the latest sdk manager we got other file format but not a jar file

can any one publish the latest google-play-services.jar 9.0.4 to compile the module with it.

[natefollmer]

Appcelerator makes the jar file when you compile the module. It might not
be as easy as that though. I'm sure the module is going to need modified
further than just getting the new SDK and recompiling.

On Tue, Aug 30, 2016, 9:37 AM fadaytak [email protected] wrote:

how can i get the latest version of "google-play-services.jar"
with the latest sdk manager we got other file format but not a jar file

can any one publish the latest google-play-services.jar 9.0.4 to compile
the module with it.

—
You are receiving this because you were mentioned.

Reply to this email directly, view it on GitHub
#18 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/AIN8zG6t0EyPthqBm5XQPYmsA_tziRsNks5qlDIpgaJpZM4Je6uk
.

[AlokGupta007]

Hello Guys,
Is there any update on the above point(Google security alert).

[ashcoding]

If needed, (which seems to be the case), please proceed to create and open a JIRA ticket here.

[AlokGupta007]

It's not giving the module link.