18

I just received the following email from Google Play

'Hello Google Play Developer,

We detected that your app(s) listed at the end of this email are invoking the in-app billing service without setting a target package for the intent. This can enable a malicious package to bypass the Play store billing system and access items that have not been purchased.

Next Steps

If you are using IabHelper, please start using the latest SDK. If you are manually invoking the in-app billing service, make sure you are calling Intent.setPackage(“com.android.vending”) on any intents to "com.android.vending.billing.InAppBillingService.BIND". Sign in to your Developer Console and submit the updated version of your app. Check back after five hours - we’ll show a warning message if the app hasn’t been updated correctly.'

I am not sure what is the fix for this problem. Can anyone tell where to specify the code? Is it somewhere in Java Class or the Manifest?

piyushj
  • 1,546
  • 5
  • 21
  • 29
Jawad Amjad
  • 2,532
  • 2
  • 29
  • 59

11 Answers11

3

We have also received this alert, and checked our apks. We found that old version of Google-Play-Service.jar seem to use intent for "com.android.vending.billing.InAppBillingService.BIND", witout setting setPackage.

We have also checked the latest Google-Play-Service.jar and this one was fine, so I'd suggest checking your library.

user3471022
  • 43
  • 3
  • What version were you on and what did you move to? – Jeff L. Jul 29 '16 at 04:38
  • Well the package was already specified, but still I updated the Play Service along with AIDL file and IAP Helper, but still the Notification is not removed. What else can be done now? – Jawad Amjad Aug 02 '16 at 06:13
  • Good catch. I did not suspect googles library to be faulty. So basically, in my case google put alert in developer console saying that my app has vulnerability, but in fact it was their library code. They could just send email saying "Please update our library. We did terrible mistakes there. We are sorry, that will not happen again. Cheers - here's $50 for the trouble ;p". I'm just being harsh, since I've lost time figuring this one out. – Wojciech Aug 23 '16 at 14:52
  • @JawadAmjad google now shows which classes have this vulnerability. Check in the developer console. In my case it was `com.google.android.gms.internal.dx` and `com.google.android.gms.internal.eb` – Wojciech Aug 23 '16 at 14:55
3

I received the same warning a few days ago and was already setting the package for the intent like this:

Intent serviceIntent = new Intent("com.android.vending.billing.InAppBillingService.BIND");
serviceIntent.setPackage("com.android.vending");
bindService(serviceIntent, mServiceConn, Context.BIND_AUTO_CREATE);

The issue has gone away by updating to the latest versions of Google Play Services and targeting Lollipop (5.1) instead of KitKat (4.4)... if you're using any Google Play Apis make sure you update them to the newest versions and hopefully that'll fix it for you too.

Graham
  • 71
  • 4
  • Well the package was already specified, but still I updated the Play Service along with AIDL file and IAP Helper, but still the Notification is not removed. What else can be done now? – Jawad Amjad Aug 03 '16 at 10:01
  • How to update Google Play Service in Android Studio project? – Bagusflyer Feb 16 '19 at 06:23
2

You must update your IabHelper files with last SDK from:

https://github.com/googlesamples/android-play-billing/tree/master/TrivialDrive/app/src/main/java/com/example/android/trivialdrivesample/util

When you overwrite old files, Eclipse or Android Studio will display errors and you have to fix them, for example add try catch, or add one parameter to queryInventory function.

Remember update package name in new files if you changed it.

EDIT: Also finally I need update google_play_services.jar lib included in my project. After update this notification alert has hidden. I was using an older google play service lib. Now I am using rev 28 version.

jlgsoftware
  • 172
  • 8
  • Well the package was already specified, but still I updated the Play Service along with AIDL file and IAP Helper, but still the Notification is not removed. What else can be done now? – Jawad Amjad Aug 02 '16 at 06:12
  • read my last edit, you must update google play services lib if you are including it in your project and it's an older version. – jlgsoftware Aug 03 '16 at 15:44
2

Search your whole code repository for the following code statement. 

Intent serviceIntent = new Intent("com.android.vending.billing.InAppBillingService.BIND");

Wherever you have used the above intent, don't forget to add this code below serviceIntent.setPackage("com.android.vending");

There was two occurrences of the above intent in my whole code base, one was in IabHelper java file were if u use the latest in app billing sdk, this statement would be already added, Another occurrence, I used this intent to check if InApp Billing service was available, I have forgot to add the serviceIntent.setPackage("com.android.vending");, once i figured that out and updated my App in developer console, the warning message was removed after few hours.

Ezhil
  • 21
  • 3
  • Well the package was already specified, but still I updated the Play Service along with AIDL file and IAP Helper, but still the Notification is not removed. What else can be done now? – Jawad Amjad Aug 02 '16 at 06:12
0

The fix will be in your Java. Search your codebase for an Intent with the action "com.android.vending.billing.InAppBillingService.BIND", either passed into the constructor or set via Intent.setAction(). Before calling bindService() with that intent, you must explicitly set the package via Intent.setPackage().

Here is Google's sample code as reference: https://github.com/googlesamples/android-play-billing/blob/master/TrivialDrive/app/src/main/java/com/example/android/trivialdrivesample/util/IabHelper.java#L296

grendell
  • 61
  • 4
0

Did not test this solution but you might still try it: replace serviceIntent.setPackage("com.android.vending"); with serviceIntent.setPackage("com.android.vending.billing.InAppBillingService.BIND"); in https://github.com/googlesamples/android-play-billing/blob/master/TrivialDrive/app/src/main/java/com/example/android/trivialdrivesample/util/IabHelper.java#L297 or anywhere you have setPackage thing. Cheers.

UPDATE: Just update Google Play Services lib, worked for me. Cheers.

sssemil
  • 279
  • 6
  • 15
  • Well the package was already specified, but still I updated the Play Service along with AIDL file and IAP Helper, but still the Notification is not removed. What else can be done now? – Jawad Amjad Aug 02 '16 at 06:12
0

There are three points to solve this problem.

  1. Find com.android.vending.billing.InAppBillingService.BIND in your codes. Let every Intent to this call the method Intent.setPackage(“com.android.vending”).
  2. Update SDK of IabHelper.
  3. Update the Google Play Service library project. Make sure that these things are done correctly. Every point undone leads to this problem. If the problem still exists, maybe there is something wrong with other jars in your project.
batman
  • 1,937
  • 2
  • 22
  • 41
ColdenBean
  • 1
  • 1
  • every thing is done and verified many times, still the notifications remains there. – Jawad Amjad Aug 09 '16 at 05:35
  • I think you can create a new test app that only with jars.If the waring appears in your test app,it means the problem is in your jars. If not,it means the problem is in your codes. @JawadAmjad – ColdenBean Aug 10 '16 at 08:13
  • That seems not to be a practical solution, as that requires an app to be published properly. And test app cannot be published it will be rejected by Google Play Team – Jawad Amjad Aug 10 '16 at 09:03
0

I received the same warning. I was already setting the package when binding the InAppBillingService but I found that I was checking if the InAppBillingService exists like this:

boolean inAppBillingAvailable = !getPackageManager().queryIntentServices(new Intent("com.android.vending.billing.InAppBillingService.BIND"), 0).isEmpty();

Make sure you are also setting the package here:

boolean inAppBillingAvailable = !getPackageManager().queryIntentServices(new Intent("com.android.vending.billing.InAppBillingService.BIND").setPackage("com.android.vending"), 0).isEmpty();
Rick Clephas
  • 26
  • 1
  • 5
0

I finally managed to solve this. First I had updated IabHelper, but that did not help. I then noticed that a dependency compile 'com.google.android.gms:play-services:6.1.71' in build.gradle. I changed this to com.google.android.gms:play-services:9.4.0. This was causing many compilation errors. But, then instead of using 9.4.0 version of play-services, I used individual google services of version 9.4.0. In my case it is only com.google.android.gms:play-services-auth:9.4.0 and com.google.android.gms:play-services-drive:9.4.0. This gives only a few compilation errors which I fixed in the code. This then I pushed on google play as alpha, waited 2 days. The warning alert did not popup for the build I uploaded.

Thank you.

Edit: I do not think we need to change IabHelper.java as long as it is setting setPackage("com.android.vending"). I reverted IabHelper.java, and uploaded a build only with 9.4.0 version of play-services-drive and play-services-auth changes. It did not throw warning.

paachi
  • 682
  • 1
  • 7
  • 15
0

I had this issue and couldn't afford updating our old pipeline based in eclipse. So I basically decompiled google play service's library, patched the vulnerabilities in eb.java and dx.java, recompiled those two files and put them into the original JAR file. This is explained in my blog.

0

All the answers are correct. What I did was updates google play services and IAB helper and instead of using IAB helper I sed the method described in google in App purchases tutorial and it fixed the notifications.

Jawad Amjad
  • 2,532
  • 2
  • 29
  • 59