FreeMarket: Shopping for free in Android applications

Google recently launched Android Market In-app Billing (IAB), a service that allows developers to sell digital content in their Android applications by delegating the billing responsibilities to Google. This feature has already gained immense popularity with developers—16 of the top 20 grossing apps in the Android Market rely on IAB for generating revenue. However, despite Google’s recommendations for preventing attacks on IAB applications,1 the majority of applications do not use adequate security measures to authenticate IAB purchases. In this work we present the FreeMarket attack, which automatically identifies and exploits such insecure IAB coding practices. Our attack produces a rewritten application for which all in-app purchases succeed without any payment. The rewritten application retains the full functionality of the original and can be executed on unmodified Android devices. We show that at least 174 applications in the Android Market (more than 50% of the applications we tested) are vulnerable to this attack. As part of this work, we develop a translation tool named Deja, which converts the proprietary Dalvik bytecode used by Android applications to standard Java bytecode, enabling the use of the ASM bytecode rewriting library.2 Deja uses SSA-based dataflow analysis to infer the operand types, which must be explicitly specified in Java bytecode, and correctly reasons about important differences between the two formats (e.g., the bytecode verification process).3 In the IAB protocol, Google digitally signs the message notifying an application of a successful purchase. Although Google advises developers to verify this signature on a remote server before acknowledging the purchase, many applications either do not perform any verification or perform the verification on the device using the java.security.Signature.verify API. The FreeMarket attack exploits this behavior by rewrit-